Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1lAxaLKP7E.exe

Overview

General Information

Sample name:1lAxaLKP7E.exe
renamed because original name is a hash value
Original sample name:91b60b1ae0b37343c671b632eb3e358d9a5029c9c6405556ba835528c67fd6d8.exe
Analysis ID:1504860
MD5:98c1a12ce79248bbdb4c8a65fc227e58
SHA1:259ae7a3d239a352db772433075f649d5fbda8e7
SHA256:91b60b1ae0b37343c671b632eb3e358d9a5029c9c6405556ba835528c67fd6d8
Tags:exe
Infos:

Detection

FormBook, XRed
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected FormBook
Yara detected XRed
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Contains functionality to detect sleep reduction / modifications
Found API chain indicative of sandbox detection
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May check if the current machine is a sandbox (GetTickCount - Sleep)
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains sections with non-standard names
PE file does not import any functions
Potential key logger detected (key state polling based)
Queries the installation date of Windows
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64
  • 1lAxaLKP7E.exe (PID: 6700 cmdline: "C:\Users\user\Desktop\1lAxaLKP7E.exe" MD5: 98C1A12CE79248BBDB4C8A65FC227E58)
    • svchost.exe (PID: 6888 cmdline: "C:\Users\user\Desktop\1lAxaLKP7E.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • ._cache_svchost.exe (PID: 7028 cmdline: "C:\Users\user\Desktop\._cache_svchost.exe" MD5: 8A4835835C59FDB159CF2F3EF7CF2907)
      • Synaptics.exe (PID: 7112 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • Synaptics.exe (PID: 6456 cmdline: "C:\ProgramData\Synaptics\Synaptics.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_XRedYara detected XRedJoe Security
    00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
      00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2ddc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x15ed2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_XRedYara detected XRedJoe Security
          Click to see the 6 entries
          SourceRuleDescriptionAuthorStrings
          2.2.._cache_svchost.exe.630000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.._cache_svchost.exe.630000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2dfc3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x160d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            0.2.1lAxaLKP7E.exe.3640000.1.unpackJoeSecurity_XRedYara detected XRedJoe Security
              0.2.1lAxaLKP7E.exe.3640000.1.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_XRedYara detected XRedJoe Security
                  Click to see the 5 entries

                  System Summary

                  barindex
                  Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\1lAxaLKP7E.exe", CommandLine: "C:\Users\user\Desktop\1lAxaLKP7E.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1lAxaLKP7E.exe", ParentImage: C:\Users\user\Desktop\1lAxaLKP7E.exe, ParentProcessId: 6700, ParentProcessName: 1lAxaLKP7E.exe, ProcessCommandLine: "C:\Users\user\Desktop\1lAxaLKP7E.exe", ProcessId: 6888, ProcessName: svchost.exe
                  Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\ProgramData\Synaptics\Synaptics.exe, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6888, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver
                  Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\1lAxaLKP7E.exe", CommandLine: "C:\Users\user\Desktop\1lAxaLKP7E.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\1lAxaLKP7E.exe", ParentImage: C:\Users\user\Desktop\1lAxaLKP7E.exe, ParentProcessId: 6700, ParentProcessName: 1lAxaLKP7E.exe, ProcessCommandLine: "C:\Users\user\Desktop\1lAxaLKP7E.exe", ProcessId: 6888, ProcessName: svchost.exe
                  No Suricata rule has matched

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  barindex
                  Source: http://xred.site50.net/syn/SSLLibrary.dllAvira URL Cloud: Label: malware
                  Source: C:\Users\user\Desktop\._cache_svchost.exeAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
                  Source: C:\Users\user\Desktop\._cache_svchost.exeReversingLabs: Detection: 87%
                  Source: 1lAxaLKP7E.exeReversingLabs: Detection: 65%
                  Source: Yara matchFile source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                  Source: C:\Users\user\Desktop\._cache_svchost.exeJoe Sandbox ML: detected
                  Source: 1lAxaLKP7E.exeJoe Sandbox ML: detected
                  Source: 1lAxaLKP7E.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: Binary string: wntdll.pdbUGP source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: wntdll.pdb source: 1lAxaLKP7E.exe, 00000000.00000003.1814634487.0000000003860000.00000004.00001000.00020000.00000000.sdmp, 1lAxaLKP7E.exe, 00000000.00000003.1813379686.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, ._cache_svchost.exe, 00000002.00000003.2147879512.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.0000000001190000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000002.2179114739.000000000132E000.00000040.00001000.00020000.00000000.sdmp, ._cache_svchost.exe, 00000002.00000003.2145891846.0000000000D25000.00000004.00000020.00020000.00000000.sdmp
                  Source: Binary string: svchost.pdb source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr
                  Source: Binary string: svchost.pdbUGP source: svchost.exe, 00000001.00000003.1819565454.0000000003099000.00000004.00000020.00020000.00000000.sdmp, Synaptics.exe, 00000003.00000002.1823129114.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe, 00000007.00000002.1946319184.0000000000071000.00000020.00000001.01000000.00000006.sdmp, Synaptics.exe.1.dr
                  Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: [autorun]
                  Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: [autorun]
                  Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: autorun.inf
                  Source: svchost.exeBinary or memory string: autorun.inf
                  Source: svchost.exeBinary or memory string: [autorun]
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: [autorun]
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: autorun.inf
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_006DDBBE
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E68EE FindFirstFileW,FindClose,0_2_006E68EE
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_006E698F
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006DD076
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006DD3A9
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006E9642
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006E979D
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_006E9B2B
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_006E5C97
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004099E0 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,1_2_004099E0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00406018 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,1_2_00406018
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00409B1C FindFirstFileA,GetLastError,1_2_00409B1C
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\userJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet ExplorerJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.iniJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile opened: C:\Users\user\AppDataJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006ECE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_006ECE44
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dl
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SSLLibrary.dll
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.ini
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/SUpdate.iniH)
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xred.site50.net/syn/Synaptics.rar
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=downlo
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=downloX
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloX
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=downloXO
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=T
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl
                  Source: svchost.exe, 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
                  Source: svchost.exe, 00000001.00000003.1822907749.0000000004E00000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006EEAFF
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_006EED6A
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_006EEAFF
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00429040 GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,1_2_00429040
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_006DAA57
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_00709576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00709576
                  Source: Yara matchFile source: Process Memory Space: 1lAxaLKP7E.exe PID: 6700, type: MEMORYSTR

                  E-Banking Fraud

                  barindex
                  Source: Yara matchFile source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

                  System Summary

                  barindex
                  Source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                  Source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                  Source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
                  Source: 1lAxaLKP7E.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                  Source: 1lAxaLKP7E.exe, 00000000.00000000.1725274560.0000000000732000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_95e16eda-3
                  Source: 1lAxaLKP7E.exe, 00000000.00000000.1725274560.0000000000732000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_089325fa-6
                  Source: 1lAxaLKP7E.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_b4728bad-d
                  Source: 1lAxaLKP7E.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_c48f032d-1
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0043F118 NtdllDefWindowProc_A,GetCapture,1_2_0043F118
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004598AC NtdllDefWindowProc_A,1_2_004598AC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0045A054 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,1_2_0045A054
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0045A104 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,1_2_0045A104
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0045E9EC SHGetPathFromIDList,SHGetPathFromIDList,NtdllDefWindowProc_A,1_2_0045E9EC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0044EA40 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,1_2_0044EA40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042F60C NtdllDefWindowProc_A,1_2_0042F60C
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0065C083 NtClose,2_2_0065C083
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202B60 NtClose,LdrInitializeThunk,2_2_01202B60
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_01202DF0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_01202C70
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012035C0 NtCreateMutant,LdrInitializeThunk,2_2_012035C0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01204340 NtSetContextThread,2_2_01204340
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01204650 NtSuspendThread,2_2_01204650
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202BA0 NtEnumerateValueKey,2_2_01202BA0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202B80 NtQueryInformationFile,2_2_01202B80
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202BE0 NtQueryValueKey,2_2_01202BE0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202BF0 NtAllocateVirtualMemory,2_2_01202BF0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202AB0 NtWaitForSingleObject,2_2_01202AB0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202AF0 NtWriteFile,2_2_01202AF0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202AD0 NtReadFile,2_2_01202AD0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202D30 NtUnmapViewOfSection,2_2_01202D30
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202D00 NtSetInformationFile,2_2_01202D00
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202D10 NtMapViewOfSection,2_2_01202D10
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202DB0 NtEnumerateKey,2_2_01202DB0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202DD0 NtDelayExecution,2_2_01202DD0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202C00 NtQueryInformationProcess,2_2_01202C00
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202C60 NtCreateKey,2_2_01202C60
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202CA0 NtQueryInformationToken,2_2_01202CA0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202CF0 NtOpenProcess,2_2_01202CF0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202CC0 NtQueryVirtualMemory,2_2_01202CC0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202F30 NtCreateSection,2_2_01202F30
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202F60 NtCreateProcessEx,2_2_01202F60
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202FA0 NtQuerySection,2_2_01202FA0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202FB0 NtResumeThread,2_2_01202FB0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202F90 NtProtectVirtualMemory,2_2_01202F90
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202FE0 NtCreateFile,2_2_01202FE0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202E30 NtWriteVirtualMemory,2_2_01202E30
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202EA0 NtAdjustPrivilegesToken,2_2_01202EA0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202E80 NtReadVirtualMemory,2_2_01202E80
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01202EE0 NtQueueApcThread,2_2_01202EE0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01203010 NtOpenDirectoryObject,2_2_01203010
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01203090 NtSetValueKey,2_2_01203090
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012039B0 NtGetContextThread,2_2_012039B0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01203D10 NtOpenProcessToken,2_2_01203D10
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01203D70 NtOpenThread,2_2_01203D70
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006DD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_006DD5EB
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006D1201
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006DE8F6
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_0067CAF00_2_0067CAF0
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_0067BF400_2_0067BF40
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006780600_2_00678060
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E20460_2_006E2046
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006D82980_2_006D8298
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006AE4FF0_2_006AE4FF
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006A676B0_2_006A676B
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_007048730_2_00704873
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_0069CAA00_2_0069CAA0
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_0068CC390_2_0068CC39
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006A6DD90_2_006A6DD9
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_0068D0650_2_0068D065
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_0068B1190_2_0068B119
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006791C00_2_006791C0
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006913940_2_00691394
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006917060_2_00691706
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_0069781B0_2_0069781B
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_0068997D0_2_0068997D
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006779200_2_00677920
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006919B00_2_006919B0
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_00697A4A0_2_00697A4A
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_00691C770_2_00691C77
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_00697CA70_2_00697CA7
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006FBE440_2_006FBE44
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006A9EEE0_2_006A9EEE
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_00691F320_2_00691F32
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_00CA35D00_2_00CA35D0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004601F01_2_004601F0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0046C7CC1_2_0046C7CC
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0048C7F41_2_0048C7F4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0044EA401_2_0044EA40
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00496E181_2_00496E18
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0046B1E41_2_0046B1E4
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0045FCC81_2_0045FCC8
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00453DA41_2_00453DA4
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_006310002_2_00631000
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0063F8A32_2_0063F8A3
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_006311302_2_00631130
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_006462432_2_00646243
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0063FAC32_2_0063FAC3
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_006312802_2_00631280
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0063DB432_2_0063DB43
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_00631BF72_2_00631BF7
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_006324202_2_00632420
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_00631C002_2_00631C00
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0065E6B32_2_0065E6B3
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_00632FA02_2_00632FA0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011C01002_2_011C0100
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0126A1182_2_0126A118
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012581582_2_01258158
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012901AA2_2_012901AA
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012881CC2_2_012881CC
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012620002_2_01262000
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128A3522_2_0128A352
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012903E62_2_012903E6
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011DE3F02_2_011DE3F0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012702742_2_01270274
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012502C02_2_012502C0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D05352_2_011D0535
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012905912_2_01290591
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012744202_2_01274420
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012824462_2_01282446
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0127E4F62_2_0127E4F6
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011F47502_2_011F4750
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D07702_2_011D0770
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011CC7C02_2_011CC7C0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011EC6E02_2_011EC6E0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011E69622_2_011E6962
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0129A9A62_2_0129A9A6
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D29A02_2_011D29A0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011DA8402_2_011DA840
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D28402_2_011D2840
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011B68B82_2_011B68B8
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011FE8F02_2_011FE8F0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128AB402_2_0128AB40
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01286BD72_2_01286BD7
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011CEA802_2_011CEA80
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011DAD002_2_011DAD00
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0126CD1F2_2_0126CD1F
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011E8DBF2_2_011E8DBF
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011CADE02_2_011CADE0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D0C002_2_011D0C00
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01270CB52_2_01270CB5
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011C0CF22_2_011C0CF2
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01212F282_2_01212F28
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01272F302_2_01272F30
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011F0F302_2_011F0F30
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01244F402_2_01244F40
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0124EFA02_2_0124EFA0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011C2FC82_2_011C2FC8
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128EE262_2_0128EE26
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D0E592_2_011D0E59
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011E2E902_2_011E2E90
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128CE932_2_0128CE93
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128EEDB2_2_0128EEDB
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0129B16B2_2_0129B16B
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0120516C2_2_0120516C
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011BF1722_2_011BF172
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011DB1B02_2_011DB1B0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012870E92_2_012870E9
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128F0E02_2_0128F0E0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D70C02_2_011D70C0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0127F0CC2_2_0127F0CC
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128132D2_2_0128132D
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011BD34C2_2_011BD34C
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0121739A2_2_0121739A
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D52A02_2_011D52A0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012712ED2_2_012712ED
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011EB2C02_2_011EB2C0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012875712_2_01287571
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0126D5B02_2_0126D5B0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128F43F2_2_0128F43F
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011C14602_2_011C1460
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128F7B02_2_0128F7B0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012816CC2_2_012816CC
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_012659102_2_01265910
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D99502_2_011D9950
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011EB9502_2_011EB950
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0123D8002_2_0123D800
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D38E02_2_011D38E0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128FB762_2_0128FB76
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011EFB802_2_011EFB80
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01245BF02_2_01245BF0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0120DBF92_2_0120DBF9
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01243A6C2_2_01243A6C
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128FA492_2_0128FA49
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01287A462_2_01287A46
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01215AA02_2_01215AA0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01271AA32_2_01271AA3
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0126DAAC2_2_0126DAAC
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0127DAC62_2_0127DAC6
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01287D732_2_01287D73
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D3D402_2_011D3D40
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01281D5A2_2_01281D5A
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011EFDC02_2_011EFDC0
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_01249C322_2_01249C32
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128FCF22_2_0128FCF2
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128FF092_2_0128FF09
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D1F922_2_011D1F92
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_0128FFB12_2_0128FFB1
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: 2_2_011D9EB02_2_011D9EB0
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0049058C appears 56 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004109E8 appears 34 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004049C0 appears 73 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 004070F0 appears 81 times
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 00404CCC appears 54 times
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: String function: 01205130 appears 58 times
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: String function: 0123EA12 appears 86 times
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: String function: 0124F290 appears 105 times
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: String function: 01217E54 appears 100 times
                  Source: C:\Users\user\Desktop\._cache_svchost.exeCode function: String function: 011BB970 appears 265 times
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: String function: 00690A30 appears 46 times
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: String function: 0068F9F2 appears 31 times
                  Source: ._cache_svchost.exe.1.drStatic PE information: No import functions for PE file found
                  Source: 1lAxaLKP7E.exe, 00000000.00000003.1813235075.0000000003873000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1lAxaLKP7E.exe
                  Source: 1lAxaLKP7E.exe, 00000000.00000003.1814350551.0000000003B2D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 1lAxaLKP7E.exe
                  Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs 1lAxaLKP7E.exe
                  Source: 1lAxaLKP7E.exe, 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameb! vs 1lAxaLKP7E.exe
                  Source: 1lAxaLKP7E.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                  Source: 2.2.._cache_svchost.exe.630000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                  Source: 00000002.00000002.2178717615.0000000000631000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                  Source: 00000002.00000002.2178961116.0000000000E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
                  Source: ._cache_svchost.exe.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: ._cache_svchost.exe.1.drStatic PE information: Section .text
                  Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@8/6@0/0
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E37B5 GetLastError,FormatMessageW,0_2_006E37B5
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006D10BF AdjustTokenPrivileges,CloseHandle,0_2_006D10BF
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006D16C3
                  Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00475958 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,GetLastError,GetLastError,1_2_00475958
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006E51CD
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_006FA67C
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_006E648E
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeCode function: 0_2_006742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_006742A2
                  Source: C:\Windows\SysWOW64\svchost.exeFile created: C:\Users\user\Desktop\._cache_svchost.exeJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\Synaptics2X
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeFile created: C:\Users\user\AppData\Local\Temp\aut6951.tmpJump to behavior
                  Source: Yara matchFile source: 0.2.1lAxaLKP7E.exe.3640000.1.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 0.2.1lAxaLKP7E.exe.3640000.1.raw.unpack, type: UNPACKEDPE
                  Source: Yara matchFile source: 00000000.00000002.1815969856.0000000003640000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                  Source: Yara matchFile source: 00000001.00000002.1823152194.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                  Source: 1lAxaLKP7E.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  Source: C:\Windows\SysWOW64\svchost.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                  Source: 1lAxaLKP7E.exeReversingLabs: Detection: 65%
                  Source: unknownProcess created: C:\Users\user\Desktop\1lAxaLKP7E.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\Desktop\._cache_svchost.exe "C:\Users\user\Desktop\._cache_svchost.exe"
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
                  Source: unknownProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe"
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\1lAxaLKP7E.exe"Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Users\user\Desktop\._cache_svchost.exe "C:\Users\user\Desktop\._cache_svchost.exe" Jump to behavior
                  Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\ProgramData\Synaptics\Synaptics.exe "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdateJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeSection loaded: wsock32.dllJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeSection loaded: version.dllJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeSection loaded: winmm.dllJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeSection loaded: mpr.dllJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeSection loaded: wininet.dllJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeSection loaded: iphlpapi.dllJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeSection loaded: userenv.dllJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeSection loaded: uxtheme.dllJump to behavior
                  Source: C:\Users\user\Desktop\1lAxaLKP7E.exeSection loaded: kernel.appcore.dllJump to behavior