Windows Analysis Report
rocroc.exe

Antivirus detection for URL or domain

Source: Yara match	File source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: http://www.barnstorm-music.com/re29/www.1whxgd.top	Avira URL Cloud: Label: malware
Source: http://www.hagfiw.xyz/re29/www.langlalang.com	Avira URL Cloud: Label: malware
Source: http://www.acorsgroup.com	Avira URL Cloud: Label: malware
Source: http://www.corollacompany.africa	Avira URL Cloud: Label: malware
Source: http://www.senriki.net/re29/?0DK4Qn=yRhazfKsHirG6nKYYI6mAz5vTQUNqz4sZ9ZrGGOS+9vLvJ0EFUwbGotar2I3eQhiIGPXkjmVOg==&nPW=WdYdbB1p3b2H7x	Avira URL Cloud: Label: malware
Source: http://www.hagfiw.xyz	Avira URL Cloud: Label: malware
Source: http://www.barnstorm-music.com	Avira URL Cloud: Label: malware
Source: http://www.barnstorm-music.com/re29/	Avira URL Cloud: Label: malware
Source: http://www.acorsgroup.com/re29/	Avira URL Cloud: Label: malware
Source: http://www.detoxshopbr.store/re29/	Avira URL Cloud: Label: malware
Source: http://www.hagfiw.xyz/re29/	Avira URL Cloud: Label: malware
Source: http://www.detoxshopbr.store/re29/www.jabberglotty.com	Avira URL Cloud: Label: malware
Source: http://www.1whxgd.top/re29/	Avira URL Cloud: Label: malware
Source: http://www.senriki.net/re29/www.alaaeldinsoft.com	Avira URL Cloud: Label: malware
Source: http://www.1whxgd.top/re29/www.hagfiw.xyz	Avira URL Cloud: Label: malware
Source: http://www.corollacompany.africa/re29/www.detoxshopbr.store	Avira URL Cloud: Label: malware
Source: http://www.corollacompany.africa/re29/	Avira URL Cloud: Label: malware
Source: http://www.acorsgroup.com/re29/www.fxtcb8.site	Avira URL Cloud: Label: malware
Source: www.senriki.net/re29/	Avira URL Cloud: Label: malware
Source: http://www.senriki.net/re29/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Avira: detection malicious, Label: HEUR/AGEN.1242497

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

ReversingLabs: Detection: 30%

Machine Learning detection for sample

Source: rocroc.exe

Joe Sandbox ML: detected

Source: 1.2.nmtargerx.exe.1330000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 2.2.nmtargerx.exe.400000.1.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.senriki.net/re29/"], "decoy": ["barnstorm-music.com", "gazzettadellapuglia.com", "baratieistore.space", "cdrjdkj.com", "carlissablog.com", "langlalang.com", "2886365.com", "aq993.cyou", "jwjwjwjw.com", "car-deals-80304.com", "dikevolesas.info", "buycialistablets.online", "theplantgranny.net", "detoxshopbr.store", "imans.biz", "fightingcock.co.uk", "loveforfurbabies.com", "eastcoastbeveragegroup.com", "alaaeldinsoft.com", "microshel.com", "deal-markt.com", "hypothetical.systems", "baxhakutrade.com", "chiehhsikaoportfolio.com", "brandsmania.net", "follred.com", "6566x14.app", "defi88.com", "h-skyseo.com", "imagina-onshop.com", "bambooleavescompany.com", "cmojohnny.com", "1whxgd.top", "infernaljournal.app", "kk156.net", "chokolatk.com", "guoshan-0800777216.com", "funparty.rsvp", "helenfallon.com", "digitalmagazine.online", "idealcutandtrim.com", "bricoitalia.net", "ecwid-store-copy.net", "iljamusic.com", "uvcon.africa", "hoodiesupplycol.com", "iilykt.top", "continuousvoltage.com", "josephajaogo.africa", "baba-robot.ru", "1wsfcg.top", "hagfiw.xyz", "firstcitizncb.com", "calamitouscrochet.shop", "829727.com", "eleonorasdaycare.com", "lafourmiprovencal.ch", "corollacompany.africa", "acorsgroup.com", "jabberglotty.com", "akhlit.com", "kompetenceboersen.online", "fxtcb8.site", "whetegeneralprojects.africa"]}

Source: rocroc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: rocroc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cscript.pdbUGP source: nmtargerx.exe, 00000002.00000002.297730521.00000000015C0000.00000040.10000000.00040000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.297823267.00000000015FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: nmtargerx.exe, 00000001.00000003.249586230.000000001AE70000.00000004.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000001.00000003.249275139.000000001ACE0000.00000004.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000003.257125383.0000000001896000.00000004.00000020.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.298053237.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.298053237.0000000001B4F000.00000040.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000003.255387906.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.297668380.000000000459B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.512723204.00000000049EF000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.512723204.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.300560128.0000000004731000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nmtargerx.exe, nmtargerx.exe, 00000002.00000003.257125383.0000000001896000.00000004.00000020.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.298053237.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.298053237.0000000001B4F000.00000040.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000003.255387906.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.297668380.000000000459B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.512723204.00000000049EF000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.512723204.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.300560128.0000000004731000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cscript.pdb source: nmtargerx.exe, 00000002.00000002.297730521.00000000015C0000.00000040.10000000.00040000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.297823267.00000000015FA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rocroc.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\rocroc.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\rocroc.exe	Code function: 0_2_0040290B FindFirstFileW,

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 4x nop then pop esi
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 4x nop then pop edi

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 160.121.108.17 80
Source: C:\Windows\explorer.exe	Domain query: www.alaaeldinsoft.com
Source: C:\Windows\explorer.exe	Domain query: www.kk156.net
Source: C:\Windows\explorer.exe	Domain query: www.senriki.net
Source: C:\Windows\explorer.exe	Network Connect: 192.185.52.247 80

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 192.185.52.247:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 192.185.52.247:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49707 -> 192.185.52.247:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.senriki.net/re29/

Source: Joe Sandbox View

ASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK

Source: global traffic	HTTP traffic detected: GET /re29/?0DK4Qn=GULsnGSHMoQzF5BSBaA7IgErJIrC6IG18OGrAG0wV2/PJUf48ccOVKgRcy3msHjKmovQQ592kQ==&nPW=WdYdbB1p3b2H7x HTTP/1.1Host: www.kk156.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /re29/?0DK4Qn=yRhazfKsHirG6nKYYI6mAz5vTQUNqz4sZ9ZrGGOS+9vLvJ0EFUwbGotar2I3eQhiIGPXkjmVOg==&nPW=WdYdbB1p3b2H7x HTTP/1.1Host: www.senriki.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 20 Mar 2023 07:48:57 GMTContent-Type: text/htmlContent-Length: 566Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>

Source: rocroc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1whxgd.top
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1whxgd.top/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1whxgd.top/re29/www.hagfiw.xyz
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.1whxgd.topReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acorsgroup.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acorsgroup.com/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acorsgroup.com/re29/www.fxtcb8.site
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.acorsgroup.comReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alaaeldinsoft.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alaaeldinsoft.com/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alaaeldinsoft.com/re29/www.aq993.cyou
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.alaaeldinsoft.comReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aq993.cyou
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aq993.cyou/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aq993.cyou/re29/www.barnstorm-music.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.aq993.cyouReferer:
Source: explorer.exe, 00000003.00000000.270169832.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.262086599.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.511875749.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462968225.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.520408845.0000000008442000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.barnstorm-music.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.barnstorm-music.com/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.barnstorm-music.com/re29/www.1whxgd.top
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.barnstorm-music.comReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.corollacompany.africa
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.corollacompany.africa/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.corollacompany.africa/re29/www.detoxshopbr.store
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.corollacompany.africaReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.defi88.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.defi88.com/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.defi88.com/re29/www.corollacompany.africa
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.defi88.comReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.detoxshopbr.store
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.detoxshopbr.store/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.detoxshopbr.store/re29/www.jabberglotty.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.detoxshopbr.storeReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dikevolesas.info
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dikevolesas.info/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dikevolesas.info/re29/www.follred.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.dikevolesas.infoReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.follred.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.follred.com/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.follred.com/re29/R
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.follred.comReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fxtcb8.site
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fxtcb8.site/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fxtcb8.site/re29/www.dikevolesas.info
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.fxtcb8.siteReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hagfiw.xyz
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hagfiw.xyz/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hagfiw.xyz/re29/www.langlalang.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.hagfiw.xyzReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jabberglotty.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jabberglotty.com/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jabberglotty.com/re29/www.acorsgroup.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.jabberglotty.comReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kk156.net
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kk156.net/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kk156.net/re29/www.senriki.net
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kk156.netReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.langlalang.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.langlalang.com/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.langlalang.com/re29/www.defi88.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.langlalang.comReferer:
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.senriki.net
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.senriki.net/re29/
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.senriki.net/re29/www.alaaeldinsoft.com
Source: explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.senriki.netReferer:
Source: explorer.exe, 00000003.00000002.525150078.0000000013A0F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000008.00000002.513850777.00000000052EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://47.116.3.86:29920/kok/logo.png
Source: explorer.exe, 00000003.00000002.525150078.0000000013A0F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000008.00000002.513850777.00000000052EF000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.zoty1116.com:30120/register/?i_code=4627044

Source: unknown

DNS traffic detected: queries for: www.kk156.net

Source: global traffic	HTTP traffic detected: GET /re29/?0DK4Qn=GULsnGSHMoQzF5BSBaA7IgErJIrC6IG18OGrAG0wV2/PJUf48ccOVKgRcy3msHjKmovQQ592kQ==&nPW=WdYdbB1p3b2H7x HTTP/1.1Host: www.kk156.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /re29/?0DK4Qn=yRhazfKsHirG6nKYYI6mAz5vTQUNqz4sZ9ZrGGOS+9vLvJ0EFUwbGotar2I3eQhiIGPXkjmVOg==&nPW=WdYdbB1p3b2H7x HTTP/1.1Host: www.senriki.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: nmtargerx.exe, 00000001.00000002.257134167.00000000014EA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\rocroc.exe

Code function: 0_2_00405809 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.516554082.0000000005840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: nmtargerx.exe PID: 3140, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: cscript.exe PID: 1788, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Source: rocroc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.516554082.0000000005840000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: nmtargerx.exe PID: 3140, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: cscript.exe PID: 1788, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: C:\Users\user\Desktop\rocroc.exe

Code function: 0_2_00403640 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\rocroc.exe	Code function: 0_2_00406D5F
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_000B2495
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_02F53237
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_02F533B4
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_000B2495
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041E85B
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041D81B
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_00401030
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041E086
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041DAD2
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041E28B
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041E5F1
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041DD91
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_00409E4B
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_00409E50
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_00402FB0
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A74120
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5F900
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A820A0
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B220A8
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6B090
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B228EC
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11002
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8EBB0
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1DBD2
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B22B28
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B222AE
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A82581
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6D5E0
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B225DD
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A50D20
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B22D07
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B21D55
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6841F
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1D466
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B21FF1

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: String function: 000B2A5C appears 70 times
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: String function: 000B1E8A appears 44 times
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: String function: 01A5B150 appears 35 times

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041A350 NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041A400 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041A480 NtClose,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041A530 NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041A34A NtCreateFile,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041A3A3 NtReadFile,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041A52A NtAllocateVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A999A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A998F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A995D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A997A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A996E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A999D0 NtCreateProcessEx,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99950 NtQueueApcThread,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A998A0 NtWriteVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99820 NtEnumerateKey,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A9B040 NtSuspendThread,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A9A3B0 NtGetContextThread,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99B00 NtSetValueKey,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99A80 NtOpenDirectoryObject,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99A10 NtQuerySection,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A995F0 NtQueryInformationFile,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99520 NtWaitForSingleObject,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A9AD30 NtSetContextThread,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99560 NtWriteFile,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99FE0 NtCreateMutant,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99730 NtQueryVirtualMemory,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A9A710 NtOpenProcessToken,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99760 NtOpenProcess,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A9A770 NtOpenThread,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A99770 NtSetInformationFile,

Source: rocroc.exe

ReversingLabs: Detection: 74%

Source: C:\Users\user\Desktop\rocroc.exe

File read: C:\Users\user\Desktop\rocroc.exe

Source: rocroc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\rocroc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\rocroc.exe C:\Users\user\Desktop\rocroc.exe
Source: C:\Users\user\Desktop\rocroc.exe	Process created: C:\Users\user\AppData\Local\Temp\nmtargerx.exe "C:\Users\user\AppData\Local\Temp\nmtargerx.exe" C:\Users\user\AppData\Local\Temp\rimgurbkmm.edy
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Process created: C:\Users\user\AppData\Local\Temp\nmtargerx.exe C:\Users\user\AppData\Local\Temp\nmtargerx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\nmtargerx.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rocroc.exe	Process created: C:\Users\user\AppData\Local\Temp\nmtargerx.exe "C:\Users\user\AppData\Local\Temp\nmtargerx.exe" C:\Users\user\AppData\Local\Temp\rimgurbkmm.edy
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Process created: C:\Users\user\AppData\Local\Temp\nmtargerx.exe C:\Users\user\AppData\Local\Temp\nmtargerx.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\cscript.exe C:\Windows\SysWOW64\cscript.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\nmtargerx.exe"

Source: C:\Users\user\Desktop\rocroc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Source: C:\Users\user\Desktop\rocroc.exe

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\WER\ERC\statecache.lock

Source: C:\Users\user\Desktop\rocroc.exe

File created: C:\Users\user\AppData\Local\Temp\nsoFB76.tmp

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/5@4/2

Source: C:\Users\user\Desktop\rocroc.exe

Code function: 0_2_004021AA CoCreateInstance,

Source: C:\Users\user\Desktop\rocroc.exe

File read: C:\Users\desktop.ini

Modifies the prolog of user mode functions (user mode inline hooks)

Source: C:\Users\user\Desktop\rocroc.exe

Code function: 0_2_00404AB5 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2604:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Command line argument: 248058040134
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Command line argument: 248058040134

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: rocroc.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: cscript.pdbUGP source: nmtargerx.exe, 00000002.00000002.297730521.00000000015C0000.00000040.10000000.00040000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.297823267.00000000015FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: nmtargerx.exe, 00000001.00000003.249586230.000000001AE70000.00000004.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000001.00000003.249275139.000000001ACE0000.00000004.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000003.257125383.0000000001896000.00000004.00000020.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.298053237.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.298053237.0000000001B4F000.00000040.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000003.255387906.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.297668380.000000000459B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.512723204.00000000049EF000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.512723204.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.300560128.0000000004731000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: nmtargerx.exe, nmtargerx.exe, 00000002.00000003.257125383.0000000001896000.00000004.00000020.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.298053237.0000000001A30000.00000040.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.298053237.0000000001B4F000.00000040.00001000.00020000.00000000.sdmp, nmtargerx.exe, 00000002.00000003.255387906.00000000016F3000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.297668380.000000000459B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.512723204.00000000049EF000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.512723204.00000000048D0000.00000040.00001000.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.300560128.0000000004731000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: cscript.pdb source: nmtargerx.exe, 00000002.00000002.297730521.00000000015C0000.00000040.10000000.00040000.00000000.sdmp, nmtargerx.exe, 00000002.00000002.297823267.00000000015FA000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_000B2AA1 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_02F53FA7 push ebp; retf
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_000B2AA1 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041A905 push edi; retf
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041D4F2 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041D4FB push eax; ret
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041D4A5 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_0041D55C push eax; ret
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_004165C9 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AAD0D1 push ecx; ret

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Code function: 1_2_000B6096 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

Source: C:\Users\user\Desktop\rocroc.exe

File created: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: explorer.exe

User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE1

Source: C:\Users\user\Desktop\rocroc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000839904 second address: 000000000083990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cscript.exe	RDTSC instruction interceptor: First address: 0000000000839B6E second address: 0000000000839B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\cscript.exe TID: 2188

Thread sleep time: -42000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cscript.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Code function: 2_2_00409AA0 rdtsc

Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 872
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 854

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

API coverage: 5.2 %

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Code function: 1_2_02F5315A GetSystemInfo,

Source: C:\Users\user\Desktop\rocroc.exe	Code function: 0_2_00405D74 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,
Source: C:\Users\user\Desktop\rocroc.exe	Code function: 0_2_0040699E FindFirstFileW,FindClose,
Source: C:\Users\user\Desktop\rocroc.exe	Code function: 0_2_0040290B FindFirstFileW,

Source: C:\Users\user\Desktop\rocroc.exe

API call chain: ExitProcess graph end node

Source: explorer.exe, 00000003.00000003.463518023.000000000F6DF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.463518023.000000000F6DF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000003.461063437.000000000683A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000002.519896009.00000000081DD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000^
Source: explorer.exe, 00000003.00000002.516863587.0000000006710000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: explorer.exe, 00000003.00000003.462352691.000000000F52A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.524564175.000000000F54E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462767000.000000000F53F000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: explorer.exe, 00000003.00000003.463518023.000000000F6DF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}5
Source: explorer.exe, 00000003.00000002.524659417.000000000F5F1000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.270169832.0000000008304000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000003.00000003.463518023.000000000F6DF000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: explorer.exe, 00000003.00000003.462516348.000000000F255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.463546500.000000000F2A9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW4t$"
Source: explorer.exe, 00000003.00000000.270169832.00000000082B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}osoft S
Source: explorer.exe, 00000003.00000003.463621804.00000000082B2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000003.00000003.463621804.0000000008250000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>&

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Code function: 1_2_000B3819 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Code function: 1_2_000B984C CreateFileA,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Code function: 2_2_00409AA0 rdtsc

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_02F52AFB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_02F52ABE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_02F52A89 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_02F529DF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A861A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A7C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A82990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AE41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A74120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A74120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A59100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A7B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A7B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A990AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A820A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A59080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A558EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B24015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B12073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B21074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A70050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A70050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A84BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A84BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A84BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B25BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A61B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A61B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B0D380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A82397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A803E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A7DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A83B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A83B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B28B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A552A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A82AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A82ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A94A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A94A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A68A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A55210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A55210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A55210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A55210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A73A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B0B260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B28A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A9927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1EA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A59240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AE4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A835A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A81DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A81DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A81DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B205AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A82581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A82581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A82581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A82581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A52D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B08DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1FDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B28D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B1E539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A63D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A84D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A84D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A84D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A5AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01ADA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A7C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A7C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A93D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A77D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B114FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B28CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B11C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B2740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A7746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A68794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AD7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A937F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A54F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A54F2E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8E730 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A8A70E mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A7F716 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01AEFF10 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B2070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B2070D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6FF60 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01B28F6A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_01A6EF40 mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\cscript.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_000B3819 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_000B9622 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_000B5B55 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 1_2_000B4954 SetUnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_000B3819 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_000B9622 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_000B5B55 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: 2_2_000B4954 SetUnhandledExceptionFilter,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 160.121.108.17 80
Source: C:\Windows\explorer.exe	Domain query: www.alaaeldinsoft.com
Source: C:\Windows\explorer.exe	Domain query: www.kk156.net
Source: C:\Windows\explorer.exe	Domain query: www.senriki.net
Source: C:\Windows\explorer.exe	Network Connect: 192.185.52.247 80

Sample uses process hollowing technique

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Section unmapped: C:\Windows\SysWOW64\cscript.exe base address: D90000

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Section loaded: unknown target: C:\Users\user\AppData\Local\Temp\nmtargerx.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Section loaded: unknown target: C:\Windows\SysWOW64\cscript.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Queues an APC in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Thread register set: target process: 3452
Source: C:\Windows\SysWOW64\cscript.exe	Thread register set: target process: 3452

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Process created: C:\Users\user\AppData\Local\Temp\nmtargerx.exe C:\Users\user\AppData\Local\Temp\nmtargerx.exe
Source: C:\Windows\SysWOW64\cscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\nmtargerx.exe"

Source: explorer.exe, 00000003.00000000.262735788.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.512768045.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: XProgram Manager
Source: explorer.exe, 00000003.00000000.267064140.0000000005D90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.516781838.0000000005D90000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.262735788.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.262735788.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.262086599.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.511875749.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.262735788.0000000001080000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.512768045.0000000001080000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe	Code function: GetLocaleInfoA,

Source: C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Code function: 1_2_000B5578 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

Source: C:\Users\user\Desktop\rocroc.exe

Stealing of Sensitive Information

Source: Yara match	File source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Source: Yara match	File source: 1.2.nmtargerx.exe.1330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.nmtargerx.exe.1330000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nmtargerx.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.nmtargerx.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.512168370.0000000000D60000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297641452.0000000001400000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.511623036.0000000000830000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297541015.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.512093073.0000000000D30000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.297615381.00000000013D0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.256878457.0000000001330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	12 Native API	Path Interception	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	1 Credential API Hooking	1 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	3 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	512 Process Injection	3 Obfuscated Files or Information	1 Input Capture	2 File and Directory Discovery	Remote Desktop Protocol	1 Credential API Hooking	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	115 System Information Discovery	SMB/Windows Admin Shares	1 Input Capture	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Rootkit	NTDS	241 Security Software Discovery	Distributed Component Object Model	1 Clipboard Data	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	2 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Process Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	1 Application Window Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	512 Process Injection	Proc Filesystem	1 Remote System Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rocroc.exe	74%	ReversingLabs	Win32.Trojan.Leonem
rocroc.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nmtargerx.exe	100%	Avira	HEUR/AGEN.1242497
C:\Users\user\AppData\Local\Temp\nmtargerx.exe	31%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.2.nmtargerx.exe.1330000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
2.0.nmtargerx.exe.b0000.0.unpack	100%	Avira	HEUR/AGEN.1242497	Download File
2.2.nmtargerx.exe.b0000.0.unpack	100%	Avira	HEUR/AGEN.1242497	Download File
2.2.nmtargerx.exe.400000.1.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
1.0.nmtargerx.exe.b0000.0.unpack	100%	Avira	HEUR/AGEN.1242497	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.senriki.net	0%	Avira URL Cloud	safe
http://www.barnstorm-music.com/re29/www.1whxgd.top	100%	Avira URL Cloud	malware
http://www.langlalang.com	0%	Avira URL Cloud	safe
http://www.aq993.cyou/re29/www.barnstorm-music.com	0%	Avira URL Cloud	safe
http://www.fxtcb8.site	0%	Avira URL Cloud	safe
http://www.kk156.net/re29/	0%	Avira URL Cloud	safe
http://www.dikevolesas.infoReferer:	0%	Avira URL Cloud	safe
http://www.hagfiw.xyz/re29/www.langlalang.com	100%	Avira URL Cloud	malware
http://www.detoxshopbr.store	0%	Avira URL Cloud	safe
http://www.acorsgroup.com	100%	Avira URL Cloud	malware
http://www.1whxgd.topReferer:	0%	Avira URL Cloud	safe
http://www.corollacompany.africa	100%	Avira URL Cloud	malware
http://www.senriki.net/re29/?0DK4Qn=yRhazfKsHirG6nKYYI6mAz5vTQUNqz4sZ9ZrGGOS+9vLvJ0EFUwbGotar2I3eQhiIGPXkjmVOg==&nPW=WdYdbB1p3b2H7x	100%	Avira URL Cloud	malware
http://www.jabberglotty.com/re29/www.acorsgroup.com	0%	Avira URL Cloud	safe
http://www.hagfiw.xyz	100%	Avira URL Cloud	malware
http://www.barnstorm-music.com	100%	Avira URL Cloud	malware
http://www.barnstorm-music.com/re29/	100%	Avira URL Cloud	malware
http://www.acorsgroup.com/re29/	100%	Avira URL Cloud	malware
http://www.detoxshopbr.store/re29/	100%	Avira URL Cloud	malware
http://www.hagfiw.xyz/re29/	100%	Avira URL Cloud	malware
http://www.defi88.com	0%	Avira URL Cloud	safe
http://www.dikevolesas.info/re29/www.follred.com	0%	Avira URL Cloud	safe
http://www.defi88.com/re29/www.corollacompany.africa	0%	Avira URL Cloud	safe
http://www.aq993.cyou	0%	Avira URL Cloud	safe
http://www.follred.com/re29/R	0%	Avira URL Cloud	safe
http://www.follred.comReferer:	0%	Avira URL Cloud	safe
http://www.alaaeldinsoft.com/re29/www.aq993.cyou	0%	Avira URL Cloud	safe
http://www.detoxshopbr.store/re29/www.jabberglotty.com	100%	Avira URL Cloud	malware
http://www.kk156.netReferer:	0%	Avira URL Cloud	safe
http://www.alaaeldinsoft.com	0%	Avira URL Cloud	safe
http://www.langlalang.com/re29/www.defi88.com	0%	Avira URL Cloud	safe
http://www.1whxgd.top/re29/	100%	Avira URL Cloud	malware
http://www.kk156.net/re29/www.senriki.net	0%	Avira URL Cloud	safe
http://www.aq993.cyou/re29/	0%	Avira URL Cloud	safe
http://www.senriki.net/re29/www.alaaeldinsoft.com	100%	Avira URL Cloud	malware
http://www.1whxgd.top/re29/www.hagfiw.xyz	100%	Avira URL Cloud	malware
http://www.senriki.netReferer:	0%	Avira URL Cloud	safe
http://www.langlalang.com/re29/	0%	Avira URL Cloud	safe
http://www.hagfiw.xyzReferer:	0%	Avira URL Cloud	safe
http://www.detoxshopbr.storeReferer:	0%	Avira URL Cloud	safe
http://www.kk156.net	0%	Avira URL Cloud	safe
http://www.langlalang.comReferer:	0%	Avira URL Cloud	safe
http://www.fxtcb8.site/re29/www.dikevolesas.info	0%	Avira URL Cloud	safe
https://www.zoty1116.com:30120/register/?i_code=4627044	0%	Avira URL Cloud	safe
http://www.fxtcb8.site/re29/	0%	Avira URL Cloud	safe
http://www.fxtcb8.siteReferer:	0%	Avira URL Cloud	safe
http://www.corollacompany.africa/re29/www.detoxshopbr.store	100%	Avira URL Cloud	malware
http://www.corollacompany.africa/re29/	100%	Avira URL Cloud	malware
http://www.alaaeldinsoft.com/re29/	0%	Avira URL Cloud	safe
https://47.116.3.86:29920/kok/logo.png	0%	Avira URL Cloud	safe
http://www.1whxgd.top	0%	Avira URL Cloud	safe
http://www.barnstorm-music.comReferer:	0%	Avira URL Cloud	safe
http://www.defi88.com/re29/	0%	Avira URL Cloud	safe
http://www.jabberglotty.com/re29/	0%	Avira URL Cloud	safe
http://www.kk156.net/re29/?0DK4Qn=GULsnGSHMoQzF5BSBaA7IgErJIrC6IG18OGrAG0wV2/PJUf48ccOVKgRcy3msHjKmovQQ592kQ==&nPW=WdYdbB1p3b2H7x	0%	Avira URL Cloud	safe
http://www.jabberglotty.comReferer:	0%	Avira URL Cloud	safe
http://www.corollacompany.africaReferer:	0%	Avira URL Cloud	safe
http://www.follred.com/re29/	0%	Avira URL Cloud	safe
http://www.acorsgroup.com/re29/www.fxtcb8.site	100%	Avira URL Cloud	malware
http://www.dikevolesas.info/re29/	0%	Avira URL Cloud	safe
http://www.dikevolesas.info	0%	Avira URL Cloud	safe
http://www.follred.com	0%	Avira URL Cloud	safe
http://www.aq993.cyouReferer:	0%	Avira URL Cloud	safe
www.senriki.net/re29/	100%	Avira URL Cloud	malware
http://www.defi88.comReferer:	0%	Avira URL Cloud	safe
http://www.jabberglotty.com	0%	Avira URL Cloud	safe
http://www.alaaeldinsoft.comReferer:	0%	Avira URL Cloud	safe
http://www.senriki.net/re29/	100%	Avira URL Cloud	malware
http://www.acorsgroup.comReferer:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.senriki.net	160.121.108.17	true	true	unknown
www.kk156.net	192.185.52.247	true	true	unknown
www.aq993.cyou	unknown	unknown	true	unknown
www.alaaeldinsoft.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.senriki.net/re29/?0DK4Qn=yRhazfKsHirG6nKYYI6mAz5vTQUNqz4sZ9ZrGGOS+9vLvJ0EFUwbGotar2I3eQhiIGPXkjmVOg==&nPW=WdYdbB1p3b2H7x	true	Avira URL Cloud: malware	unknown
http://www.kk156.net/re29/?0DK4Qn=GULsnGSHMoQzF5BSBaA7IgErJIrC6IG18OGrAG0wV2/PJUf48ccOVKgRcy3msHjKmovQQ592kQ==&nPW=WdYdbB1p3b2H7x	true	Avira URL Cloud: safe	unknown
www.senriki.net/re29/	true	Avira URL Cloud: malware	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.barnstorm-music.com/re29/www.1whxgd.top	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.barnstorm-music.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.barnstorm-music.com/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.acorsgroup.com/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.senriki.net	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.langlalang.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fxtcb8.site	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aq993.cyou/re29/www.barnstorm-music.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hagfiw.xyz/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.kk156.net/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.hagfiw.xyz	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.hagfiw.xyz/re29/www.langlalang.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.acorsgroup.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.dikevolesas.infoReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.detoxshopbr.store	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1whxgd.topReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.corollacompany.africa	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.detoxshopbr.store/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.jabberglotty.com/re29/www.acorsgroup.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.defi88.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dikevolesas.info/re29/www.follred.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alaaeldinsoft.com/re29/www.aq993.cyou	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.follred.comReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.detoxshopbr.store/re29/www.jabberglotty.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.alaaeldinsoft.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.follred.com/re29/R	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.langlalang.com/re29/www.defi88.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aq993.cyou	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kk156.netReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.defi88.com/re29/www.corollacompany.africa	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kk156.net/re29/www.senriki.net	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1whxgd.top/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.aq993.cyou/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.1whxgd.top/re29/www.hagfiw.xyz	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.270169832.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.262086599.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.511875749.0000000000AC8000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462968225.0000000008442000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.520408845.0000000008442000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.hagfiw.xyzReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.senriki.net/re29/www.alaaeldinsoft.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.detoxshopbr.storeReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.senriki.netReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.langlalang.com/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kk156.net	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.langlalang.comReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.zoty1116.com:30120/register/?i_code=4627044	explorer.exe, 00000003.00000002.525150078.0000000013A0F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000008.00000002.513850777.00000000052EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fxtcb8.site/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fxtcb8.site/re29/www.dikevolesas.info	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.corollacompany.africa/re29/www.detoxshopbr.store	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.fxtcb8.siteReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alaaeldinsoft.com/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://47.116.3.86:29920/kok/logo.png	explorer.exe, 00000003.00000002.525150078.0000000013A0F000.00000004.80000000.00040000.00000000.sdmp, cscript.exe, 00000008.00000002.513850777.00000000052EF000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	rocroc.exe	false		high
http://www.corollacompany.africa/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.1whxgd.top	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.barnstorm-music.comReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.defi88.com/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jabberglotty.com/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.corollacompany.africaReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dikevolesas.info/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jabberglotty.comReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.follred.com/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.acorsgroup.com/re29/www.fxtcb8.site	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.dikevolesas.info	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.follred.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.aq993.cyouReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.alaaeldinsoft.comReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.defi88.comReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jabberglotty.com	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.senriki.net/re29/	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.acorsgroup.comReferer:	explorer.exe, 00000003.00000002.524465285.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.461212385.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.462613362.000000000F4B5000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
160.121.108.17	www.senriki.net	South Africa		137951	CLAYERLIMITED-AS-APClayerLimitedHK	true
192.185.52.247	www.kk156.net	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox Version:	37.0.0 Beryl
Analysis ID:	830303
Start date and time:	2023-03-20 08:46:27 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 54s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	rocroc.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/5@4/2
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 42.1% (good quality ratio 40.4%) Quality average: 78.9% Quality standard deviation: 26.7%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 209.197.3.8
Excluded domains from analysis (whitelisted): fs.microsoft.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, wu-bg-shim.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: rocroc.exe

Simulations

Behavior and APIs

Time	Type	Description
08:47:43	API Interceptor	698x Sleep call for process: explorer.exe modified

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	984
Entropy (8bit):	5.204081515204597
Encrypted:	false
SSDEEP:	24:Yq6CUXyhmQmnbNdB6hmxjmnz0JahmemnHZ6T06MhmDmnbxdB6hmktmn7KTdB6hm0:YqDUXyctnbNdUcAnz0JacPnHZ6T06McW
MD5:	160494591DCB3DD4E2C36F71207A87F3
SHA1:	D611935CA91C155B10A449DB72B3D5C8308A6EB7
SHA-256:	B82EC6928AAA7C30ABBE26DF13CA514DC4508C704F03EB28A4B2ABE40F60DF6E
SHA-512:	301BD7B6A4B7B2D3261C3A10FE98B2B4B811B861FCA077AF8732B7FCDFB2D106FFE82F0072CD859A4436E2EBD9347EACF44539E11AEAD2CA83703737B3030881
Malicious:	false
Preview:	{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":3648731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3638731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":3628731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":3618731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3608731648,"LastSwitchedHighPart":30747937,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3598731648,"LastSwitchedHighPart":30747937,"PrePopulated":true}]}

C:\Users\user\AppData\Local\Temp\nmtargerx.exe

Process:	C:\Users\user\Desktop\rocroc.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	61440
Entropy (8bit):	6.265679032611912
Encrypted:	false
SSDEEP:	768:JXJxBLApCDxvhqBrcbQdYPaPfhJAx1oZakLSO0OYCiPBjgFSd+ChG5Xev3P:JXBdxsBwfaPJJtZFLkPay+V5Xe/
MD5:	5DDE2B26DE7E8B448EDCED428AF8E385
SHA1:	AC9033CA6155232ED5250DA70B7622D797A41C36
SHA-256:	2423D7CB2BE18902BCDB5C9C5AE88B32F9F4D97C920A429AAF4AE1FF70D70B01
SHA-512:	DBBA75DDA90E4A47948F27D41EC6D55B3B7270134DAC211A3DBBF55F680BBE0F43D36F7703C1761456FD406ED8C30F3FD43D0C4F63EF1EFD47B35C79D8FDB379
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: ReversingLabs, Detection: 31%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......??..{^..{^..{^....j.z^..e.x.[^..e.i.k^..e....^..\...n^..{^...^..e.u.z^..e.n.z^..e.m.z^..Rich{^..........................PE..L...Y..d.....................d....................@..........................0............@.............................#...\|................................ .......................................................................................text.............................. ..`.rdata...$.......&..................@..@.data....,..........................@....reloc....... ......................@..B........................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsoFB77.tmp

Process:	C:\Users\user\Desktop\rocroc.exe
File Type:	data
Category:	dropped
Size (bytes):	290468
Entropy (8bit):	7.686066118581011
Encrypted:	false
SSDEEP:	6144:N4ctNUinAsuMC58arHZJS68nS9beVPRHPSsd+6NVrNbnj1rf7UH3:bFWSmHZJSPS9bQpHP5dTxtrYH
MD5:	B7088F21084BA05718C30F38A65C1962
SHA1:	88AF4651DF9CB248B7287A44EDE4D4590BD1B850
SHA-256:	51095185AD751296C86254BE081B3AB5CE9AA450A4C89C5BF08325DC7C79C1DD
SHA-512:	5EE7619D6D733A957D5AD2183BA98502482B9E76CA468490346F4DE1CD0CED789C09D4CB09E7D43728B97503C590462F753662E491FB41FA0E310FEF47FF5889
Malicious:	false
Preview:	R3......,........................!......p2......:3..............................................................................0...........................................................................................................................................................G...................j...............................................................................................................................i...........Q...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rimgurbkmm.edy

Process:	C:\Users\user\Desktop\rocroc.exe
File Type:	data
Category:	dropped
Size (bytes):	5585
Entropy (8bit):	7.178232710885884
Encrypted:	false
SSDEEP:	96:Farc6oYV7OWg/DrYuTk2XO5oSwYRH1VaNvI5dMS8+FCV76RdoT1uHDfRnTomtC8h:FarcRQyJLhX1S9jgNIMSZMVWQ8JDtC8h
MD5:	1D60216105868CAAA0F06B608139D885
SHA1:	610D96D5761A623D0F3F12E137320486DEE13AFE
SHA-256:	4B276576113FA41BD67EC015F38C8AC857B4ED637C2FAF1B86914B307EAF6AA2
SHA-512:	1E2A7CE5C46DBCE5CF1516AED8FF99653564F9E3D2991EC937BFA3AFC6753AE292DFC88D4096E4B0C19B071357453230237B410965824EFE2B0C673C96DDEF75
Malicious:	false
Preview:	.005m..f.F<...05o.:......?v>.3.3.<......M.knl.02a..c.E<...42c. ......4.D63.6.3.?.....E.gni.53P..805.p8.q?.2.8.u .a..beabo.H0..v..v.@3.`..i/7.p.6.t(2..g.}.u<..G-.0.3.h.f....w8L$.m.r.D;F...okc..m.;4.q.?.<@.4.0...m..u<f...@%.`4..D'd.O$..A5..=..<r..4M.knl.82a..Q..401ec.t4.M4...D;.D..d580..E9....E....3.u.mje.18e..`W..480.x<.p=.4.4.p-P..6.c.!....D%.\|.eX.....+..t..0....e.a..`beP..580.p=.t>.8.5.p,XE..Md.....M9..e...@4......F1..u.\|c.....Lq.}<...v<+480.}<;.&<.>..r.^.q8F0....q.^.q8F0...^..M...3uc.....}<F...kloe.=8e...548.r...t..w.(058.q..v..I.0A..q..34.q.p.}..u.{.w....}.p013......u.L.4F".u..04.t.t.q..p.x.u....q.8580..Y...}..E.4D'.q..80.}.t.t..w.p.p...X+AK..M......v.ZXK.J.E.....}.]..O.F.....u.X_.M.M......H...X...K.D.....}.\&....A..B....G...P5..O.E..P....\...Y...K.E..a....B...].4.T.4.q0.p..q..~<1\|..x.q.>.t&.u.\|1,.t..w.pe..\...w.p..u.T.4.Q.0.}.;.q%..5M%.}.;.qm..tL9.}.5013.6.].5.u...K...P3480..u...dR0.m...D4...B358.q.0342.}.e......dX4R0]<048[3^2^8Z5..p...d.a..

C:\Users\user\AppData\Local\Temp\scrzuow.py