Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4iDSIZ8MhI.exe

Overview

General Information

Sample name:4iDSIZ8MhI.exe
renamed because original name is a hash value
Original sample name:459d078aefc37782388eb6c6e1dedb4efc48eb7f3888893ebe1b0962b059a949.exe
Analysis ID:1504853
MD5:01284d3ef501955ac9ed679e5cb32e23
SHA1:b86ead0f46e939b6fbde343520133de2daaac2da
SHA256:459d078aefc37782388eb6c6e1dedb4efc48eb7f3888893ebe1b0962b059a949
Tags:exe
Infos:

Detection

FormBook
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

  • System is w10x64
  • 4iDSIZ8MhI.exe (PID: 2344 cmdline: "C:\Users\user\Desktop\4iDSIZ8MhI.exe" MD5: 01284D3EF501955AC9ED679E5CB32E23)
    • svchost.exe (PID: 5996 cmdline: "C:\Users\user\Desktop\4iDSIZ8MhI.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2e113:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x17752:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2abf0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x1422f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2d313:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x16952:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e113:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x17752:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          System Summary

          barindex
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", CommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", ParentImage: C:\Users\user\Desktop\4iDSIZ8MhI.exe, ParentProcessId: 2344, ParentProcessName: 4iDSIZ8MhI.exe, ProcessCommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", ProcessId: 5996, ProcessName: svchost.exe
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", CommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", ParentImage: C:\Users\user\Desktop\4iDSIZ8MhI.exe, ParentProcessId: 2344, ParentProcessName: 4iDSIZ8MhI.exe, ProcessCommandLine: "C:\Users\user\Desktop\4iDSIZ8MhI.exe", ProcessId: 5996, ProcessName: svchost.exe
          No Suricata rule has matched

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: 4iDSIZ8MhI.exeReversingLabs: Detection: 42%
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Source: 4iDSIZ8MhI.exeJoe Sandbox ML: detected
          Source: 4iDSIZ8MhI.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: 4iDSIZ8MhI.exe, 00000000.00000003.1245380225.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, 4iDSIZ8MhI.exe, 00000000.00000003.1246020881.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1325170489.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1322705806.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 4iDSIZ8MhI.exe, 00000000.00000003.1245380225.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, 4iDSIZ8MhI.exe, 00000000.00000003.1246020881.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1325170489.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1322705806.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0034DBBE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0031C2A2 FindFirstFileExW,0_2_0031C2A2
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003568EE FindFirstFileW,FindClose,0_2_003568EE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0035698F
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0034D076
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0034D3A9
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00359642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00359642
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0035979D
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00359B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00359B2B
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00355C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00355C97
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_0035CE44
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0035EAFF
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_0035ED6A
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0035EAFF
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_0034AA57
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00379576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00379576

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 4iDSIZ8MhI.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: 4iDSIZ8MhI.exe, 00000000.00000000.1235773363.00000000003A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a7f39df8-7
          Source: 4iDSIZ8MhI.exe, 00000000.00000000.1235773363.00000000003A2000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d56120c6-0
          Source: 4iDSIZ8MhI.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a281871b-d
          Source: 4iDSIZ8MhI.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_10e38a6e-0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042B5C3 NtClose,2_2_0042B5C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B60 NtClose,LdrInitializeThunk,2_2_03972B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03972DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039735C0 NtCreateMutant,LdrInitializeThunk,2_2_039735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974340 NtSetContextThread,2_2_03974340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03974650 NtSuspendThread,2_2_03974650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972B80 NtQueryInformationFile,2_2_03972B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BA0 NtEnumerateValueKey,2_2_03972BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BF0 NtAllocateVirtualMemory,2_2_03972BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972BE0 NtQueryValueKey,2_2_03972BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AB0 NtWaitForSingleObject,2_2_03972AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AD0 NtReadFile,2_2_03972AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972AF0 NtWriteFile,2_2_03972AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F90 NtProtectVirtualMemory,2_2_03972F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FB0 NtResumeThread,2_2_03972FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FA0 NtQuerySection,2_2_03972FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972FE0 NtCreateFile,2_2_03972FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F30 NtCreateSection,2_2_03972F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972F60 NtCreateProcessEx,2_2_03972F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E80 NtReadVirtualMemory,2_2_03972E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EA0 NtAdjustPrivilegesToken,2_2_03972EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972EE0 NtQueueApcThread,2_2_03972EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972E30 NtWriteVirtualMemory,2_2_03972E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DB0 NtEnumerateKey,2_2_03972DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972DD0 NtDelayExecution,2_2_03972DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D10 NtMapViewOfSection,2_2_03972D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D00 NtSetInformationFile,2_2_03972D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972D30 NtUnmapViewOfSection,2_2_03972D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CA0 NtQueryInformationToken,2_2_03972CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CC0 NtQueryVirtualMemory,2_2_03972CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972CF0 NtOpenProcess,2_2_03972CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C00 NtQueryInformationProcess,2_2_03972C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C70 NtFreeVirtualMemory,2_2_03972C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03972C60 NtCreateKey,2_2_03972C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973090 NtSetValueKey,2_2_03973090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973010 NtOpenDirectoryObject,2_2_03973010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039739B0 NtGetContextThread,2_2_039739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D10 NtOpenProcessToken,2_2_03973D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03973D70 NtOpenThread,2_2_03973D70
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_0034D5EB
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00341201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00341201
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_0034E8F6
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002EBF400_2_002EBF40
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E80600_2_002E8060
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003520460_2_00352046
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003482980_2_00348298
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0031E4FF0_2_0031E4FF
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0031676B0_2_0031676B
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003748730_2_00374873
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0030CAA00_2_0030CAA0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002ECAF00_2_002ECAF0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002FCC390_2_002FCC39
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00316DD90_2_00316DD9
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002FD0640_2_002FD064
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E90B70_2_002E90B7
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002FB1190_2_002FB119
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E91C00_2_002E91C0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003013940_2_00301394
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003017060_2_00301706
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0030781B0_2_0030781B
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E79200_2_002E7920
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002F997D0_2_002F997D
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003019B00_2_003019B0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00307A4A0_2_00307A4A
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00301C770_2_00301C77
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00307CA70_2_00307CA7
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00333CD50_2_00333CD5
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0036BE440_2_0036BE44
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00319EEE0_2_00319EEE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00301F320_2_00301F32
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_039935F00_2_039935F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011702_2_00401170
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101B12_2_004101B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004101B32_2_004101B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032702_2_00403270
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042DA032_2_0042DA03
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416AC32_2_00416AC3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004103D32_2_004103D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E44B2_2_0040E44B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E4532_2_0040E453
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024302_2_00402430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E5972_2_0040E597
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027592_2_00402759
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027602_2_00402760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E71F2_2_0040E71F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A003E62_2_03A003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394E3F02_2_0394E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FA3522_2_039FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C02C02_2_039C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E02742_2_039E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A001AA2_2_03A001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F41A22_2_039F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F81CC2_2_039F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DA1182_2_039DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039301002_2_03930100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039C81582_2_039C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D20002_2_039D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393C7C02_2_0393C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039647502_2_03964750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039407702_2_03940770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395C6E02_2_0395C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A005912_2_03A00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039405352_2_03940535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EE4F62_2_039EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E44202_2_039E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F24462_2_039F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F6BD72_2_039F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FAB402_2_039FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393EA802_2_0393EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0A9A62_2_03A0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039429A02_2_039429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039569622_2_03956962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039268B82_2_039268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0396E8F02_2_0396E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394A8402_2_0394A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039428402_2_03942840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039BEFA02_2_039BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03932FC82_2_03932FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394CFE02_2_0394CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03960F302_2_03960F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E2F302_2_039E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03982F282_2_03982F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B4F402_2_039B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03952E902_2_03952E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FCE932_2_039FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEEDB2_2_039FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FEE262_2_039FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940E592_2_03940E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03958DBF2_2_03958DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0393ADE02_2_0393ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DCD1F2_2_039DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394AD002_2_0394AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E0CB52_2_039E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03930CF22_2_03930CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03940C002_2_03940C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0398739A2_2_0398739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F132D2_2_039F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392D34C2_2_0392D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039452A02_2_039452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B2C02_2_0395B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E12ED2_2_039E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0394B1B02_2_0394B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03A0B16B2_2_03A0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0392F1722_2_0392F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397516C2_2_0397516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EF0CC2_2_039EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039470C02_2_039470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F70E92_2_039F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF0E02_2_039FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF7B02_2_039FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F16CC2_2_039F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039856302_2_03985630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DD5B02_2_039DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F75712_2_039F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FF43F2_2_039FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039314602_2_03931460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FB802_2_0395FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B5BF02_2_039B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397DBF92_2_0397DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFB762_2_039FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039DDAAC2_2_039DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03985AA02_2_03985AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039E1AA32_2_039E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039EDAC62_2_039EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFA492_2_039FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7A462_2_039F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B3A6C2_2_039B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039D59102_2_039D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039499502_2_03949950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395B9502_2_0395B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039438E02_2_039438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039AD8002_2_039AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03941F922_2_03941F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFFB12_2_039FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFF092_2_039FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03949EB02_2_03949EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0395FDC02_2_0395FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F1D5A2_2_039F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03943D402_2_03943D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039F7D732_2_039F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039FFCF22_2_039FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039B9C322_2_039B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 277 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 111 times
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: String function: 00300A30 appears 46 times
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: String function: 002E9CB3 appears 31 times
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: String function: 002FF9F2 appears 40 times
          Source: 4iDSIZ8MhI.exe, 00000000.00000003.1255191705.000000000408D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4iDSIZ8MhI.exe
          Source: 4iDSIZ8MhI.exe, 00000000.00000003.1247077060.0000000003EE3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4iDSIZ8MhI.exe
          Source: 4iDSIZ8MhI.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1367860374.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000002.00000002.1368095229.0000000003750000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal92.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003537B5 GetLastError,FormatMessageW,0_2_003537B5
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003410BF AdjustTokenPrivileges,CloseHandle,0_2_003410BF
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003416C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_003416C3
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003551CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_003551CD
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0036A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0036A67C
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_0035648E
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_002E42A2
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeFile created: C:\Users\user~1\AppData\Local\Temp\autE651.tmpJump to behavior
          Source: 4iDSIZ8MhI.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: 4iDSIZ8MhI.exeReversingLabs: Detection: 42%
          Source: unknownProcess created: C:\Users\user\Desktop\4iDSIZ8MhI.exe "C:\Users\user\Desktop\4iDSIZ8MhI.exe"
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\4iDSIZ8MhI.exe"
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\4iDSIZ8MhI.exe"Jump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSection loaded: ntmarta.dllJump to behavior
          Source: 4iDSIZ8MhI.exeStatic file information: File size 1260544 > 1048576
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: 4iDSIZ8MhI.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: 4iDSIZ8MhI.exe, 00000000.00000003.1245380225.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, 4iDSIZ8MhI.exe, 00000000.00000003.1246020881.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1325170489.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1322705806.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: 4iDSIZ8MhI.exe, 00000000.00000003.1245380225.0000000003F10000.00000004.00001000.00020000.00000000.sdmp, 4iDSIZ8MhI.exe, 00000000.00000003.1246020881.0000000003D70000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1325170489.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1322705806.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1368120608.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: 4iDSIZ8MhI.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002E42DE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00300A76 push ecx; ret 0_2_00300A89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041802E pushad ; iretd 2_2_00418036
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004079FB push ebx; ret 2_2_00407A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004014C0 push FFFFFFC3h; ret 2_2_004014DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040CCD5 pushad ; iretd 2_2_0040CCDE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403520 push eax; ret 2_2_00403522
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404DCC push esp; iretd 2_2_00404DCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040AF5C pushad ; retf 2_2_0040AF5D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A7DC push eax; retf 2_2_0040A85F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040A7E3 push eax; retf 2_2_0040A85F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040C7F1 push ds; retf 2_2_0040C7F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_039309AD push ecx; mov dword ptr [esp], ecx2_2_039309B6
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002FF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_002FF98E
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00371C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00371C41
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-97296
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeAPI/Special instruction interceptor: Address: 3993214
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeAPI coverage: 3.8 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 1416Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_0034DBBE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0031C2A2 FindFirstFileExW,0_2_0031C2A2
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_003568EE FindFirstFileW,FindClose,0_2_003568EE
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_0035698F
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0034D076
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0034D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0034D3A9
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00359642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00359642
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_0035979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0035979D
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00359B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00359B2B
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_00355C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00355C97
          Source: C:\Users\user\Desktop\4iDSIZ8MhI.exeCode function: 0_2_002E42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_002E42DE
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0397096E rdtsc 2_2_0397096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417A73 LdrLoadDll,2_2_00417A73
          Source: C:\Users\user\Desktop\4iDSIZ8M