Loading ...

Play interactive tourEdit tour

Analysis Report RFQ MOLD6312701 2K Modification.exe

Overview

General Information

Sample Name:RFQ MOLD6312701 2K Modification.exe
Analysis ID:315774
MD5:594906ac618036c814735443d7ae264d
SHA1:650b387325ca1cfe5f7fde296ab3abec88fd4796
SHA256:b40cbfc5b305924116c41f9f96add7e45e3f023c5bdefddbdcc9889e2443834e
Tags:exeGuLoader

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Potential malicious icon found
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Hides threads from debuggers
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • RFQ MOLD6312701 2K Modification.exe (PID: 6036 cmdline: 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe' MD5: 594906AC618036C814735443D7AE264D)
    • RFQ MOLD6312701 2K Modification.exe (PID: 1320 cmdline: 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe' MD5: 594906AC618036C814735443D7AE264D)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6376 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6880 cmdline: /c del 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6864 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.931927012.0000000000AA1000.00000004.00000020.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
  • 0x23ac:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c30a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      Click to see the 18 entries

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for domain / URLShow sources
      Source: redesuperpops.com.brVirustotal: Detection: 8%Perma Link
      Source: redesuperpops.com.brVirustotal: Detection: 8%Perma Link
      Multi AV Scanner detection for submitted fileShow sources
      Source: RFQ MOLD6312701 2K Modification.exeVirustotal: Detection: 20%Perma Link
      Source: RFQ MOLD6312701 2K Modification.exeVirustotal: Detection: 20%Perma Link
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORY
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi14_2_005672B0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi14_2_00566BC7
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi14_2_005672B0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi14_2_00566BC7
      Source: global trafficHTTP traffic detected: GET /icm9/?GVTD=SO8kQ9zsZ8fSHBsy4aCroVvuZ8i2Xq+WBmU7cd2Q2fNZ9aNLadzv4cCoO+et8JUlPruF&GnB=E2Mxw0vxmtsPFdA HTTP/1.1Host: www.bbwtok.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /icm9/?GVTD=SO8kQ9zsZ8fSHBsy4aCroVvuZ8i2Xq+WBmU7cd2Q2fNZ9aNLadzv4cCoO+et8JUlPruF&GnB=E2Mxw0vxmtsPFdA HTTP/1.1Host: www.bbwtok.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 192.185.216.181 192.185.216.181
      Source: Joe Sandbox ViewIP Address: 192.185.216.181 192.185.216.181
      Source: Joe Sandbox ViewIP Address: 185.104.28.238 185.104.28.238
      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
      Source: Joe Sandbox ViewASN Name: AS-ZXCSNL AS-ZXCSNL
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
      Source: global trafficHTTP traffic detected: GET /icm9/?GVTD=SO8kQ9zsZ8fSHBsy4aCroVvuZ8i2Xq+WBmU7cd2Q2fNZ9aNLadzv4cCoO+et8JUlPruF&GnB=E2Mxw0vxmtsPFdA HTTP/1.1Host: www.bbwtok.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /icm9/?GVTD=SO8kQ9zsZ8fSHBsy4aCroVvuZ8i2Xq+WBmU7cd2Q2fNZ9aNLadzv4cCoO+et8JUlPruF&GnB=E2Mxw0vxmtsPFdA HTTP/1.1Host: www.bbwtok.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: redesuperpops.com.br
      Source: unknownDNS traffic detected: queries for: redesuperpops.com.br
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Fri, 13 Nov 2020 02:11:01 GMTserver: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.0.30content-length: 203content-type: text/html; charset=iso-8859-1connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 63 6d 39 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /icm9/ was not found on this server.</p></body></html>
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Founddate: Fri, 13 Nov 2020 02:11:01 GMTserver: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.0.30content-length: 203content-type: text/html; charset=iso-8859-1connection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 69 63 6d 39 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /icm9/ was not found on this server.</p></body></html>
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
      Source: explorer.exe, 00000009.00000002.932997033.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co3W
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmp, RFQ MOLD6312701 2K Modification.exe, 00000001.00000003.819352178.000000000094B000.00000004.00000001.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Kalied_Rewcur216.bin
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Kalied_Rewcur216.binL
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000003.819352178.000000000094B000.00000004.00000001.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Kalied_Rewcur216.binM
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Kalied_Rewcur216.binll
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: http://cps.letsencrypt.org0
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
      Source: explorer.exe, 00000009.00000002.932997033.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820267276.0000000000957000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co3W
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
      Source: explorer.exe, 00000009.00000000.804805097.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmp, RFQ MOLD6312701 2K Modification.exe, 00000001.00000003.819352178.000000000094B000.00000004.00000001.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Kalied_Rewcur216.bin
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Kalied_Rewcur216.binL
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000003.819352178.000000000094B000.00000004.00000001.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Kalied_Rewcur216.binM
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820229127.0000000000917000.00000004.00000020.sdmpString found in binary or memory: https://redesuperpops.com.br/trends/Kalied_Rewcur216.binll
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
      Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000E.00000002.931927012.0000000000AA1000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.932724238.00000000034FF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.931927012.0000000000AA1000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.932724238.00000000034FF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeProcess Stats: CPU usage > 98%
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E83CA NtSetInformationThread,0_2_020E83CA
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E0BD9 NtWriteVirtualMemory,TerminateProcess,0_2_020E0BD9
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E6829 NtWriteVirtualMemory,0_2_020E6829
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E8C6B NtProtectVirtualMemory,0_2_020E8C6B
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E08C4 EnumWindows,NtSetInformationThread,0_2_020E08C4
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9102 NtResumeThread,0_2_020E9102
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E0D1D NtWriteVirtualMemory,TerminateProcess,0_2_020E0D1D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3E07 NtWriteVirtualMemory,0_2_020E3E07
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9207 NtResumeThread,0_2_020E9207
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E2202 NtSetInformationThread,0_2_020E2202
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9624 NtResumeThread,0_2_020E9624
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E0A3B NtSetInformationThread,0_2_020E0A3B
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E2232 NtWriteVirtualMemory,0_2_020E2232
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3A33 NtWriteVirtualMemory,0_2_020E3A33
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E0A68 NtSetInformationThread,0_2_020E0A68
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3A88 NtWriteVirtualMemory,0_2_020E3A88
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E929D NtResumeThread,0_2_020E929D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9690 NtResumeThread,0_2_020E9690
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E96F6 NtResumeThread,0_2_020E96F6
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3718 NtWriteVirtualMemory,0_2_020E3718
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9314 NtResumeThread,0_2_020E9314
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3B33 NtWriteVirtualMemory,0_2_020E3B33
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9344 NtResumeThread,0_2_020E9344
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E975A NtResumeThread,0_2_020E975A
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E779D NtSetInformationThread,NtWriteVirtualMemory,0_2_020E779D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3BAF NtWriteVirtualMemory,0_2_020E3BAF
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E93AB NtResumeThread,0_2_020E93AB
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E4FBC NtSetInformationThread,0_2_020E4FBC
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3BFC NtWriteVirtualMemory,0_2_020E3BFC
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E1BF9 NtWriteVirtualMemory,0_2_020E1BF9
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E940C NtResumeThread,0_2_020E940C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9820 NtResumeThread,0_2_020E9820
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E384D NtWriteVirtualMemory,0_2_020E384D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9448 NtResumeThread,0_2_020E9448
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3445 NtSetInformationThread,0_2_020E3445
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3C5F NtWriteVirtualMemory,0_2_020E3C5F
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3C83 NtWriteVirtualMemory,0_2_020E3C83
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9883 NtResumeThread,0_2_020E9883
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E98AF NtResumeThread,0_2_020E98AF
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E38A3 NtWriteVirtualMemory,0_2_020E38A3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E94A3 NtResumeThread,0_2_020E94A3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E94D6 NtResumeThread,0_2_020E94D6
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3CEC NtWriteVirtualMemory,0_2_020E3CEC
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E38F1 NtWriteVirtualMemory,0_2_020E38F1
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E4D0C NtSetInformationThread,0_2_020E4D0C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E990C NtResumeThread,0_2_020E990C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9511 NtResumeThread,0_2_020E9511
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9133 NtResumeThread,0_2_020E9133
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3D4C NtWriteVirtualMemory,0_2_020E3D4C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9547 NtResumeThread,0_2_020E9547
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9157 NtResumeThread,0_2_020E9157
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E396F NtWriteVirtualMemory,0_2_020E396F
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E096D NtSetInformationThread,0_2_020E096D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E096B NtSetInformationThread,0_2_020E096B
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E6566 NtWriteVirtualMemory,0_2_020E6566
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E398C NtWriteVirtualMemory,0_2_020E398C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E7D99 NtWriteVirtualMemory,0_2_020E7D99
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9193 NtResumeThread,0_2_020E9193
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E91B4 NtResumeThread,0_2_020E91B4
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E09C5 NtSetInformationThread,0_2_020E09C5
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E39D4 NtWriteVirtualMemory,0_2_020E39D4
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E61E3 NtWriteVirtualMemory,0_2_020E61E3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E95E3 NtResumeThread,0_2_020E95E3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E91F7 NtResumeThread,0_2_020E91F7
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E83CA NtSetInformationThread,0_2_020E83CA
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E0BD9 NtWriteVirtualMemory,TerminateProcess,0_2_020E0BD9
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E6829 NtWriteVirtualMemory,0_2_020E6829
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E8C6B NtProtectVirtualMemory,0_2_020E8C6B
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E08C4 EnumWindows,NtSetInformationThread,0_2_020E08C4
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9102 NtResumeThread,0_2_020E9102
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E0D1D NtWriteVirtualMemory,TerminateProcess,0_2_020E0D1D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3E07 NtWriteVirtualMemory,0_2_020E3E07
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9207 NtResumeThread,0_2_020E9207
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E2202 NtSetInformationThread,0_2_020E2202
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9624 NtResumeThread,0_2_020E9624
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E0A3B NtSetInformationThread,0_2_020E0A3B
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E2232 NtWriteVirtualMemory,0_2_020E2232
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3A33 NtWriteVirtualMemory,0_2_020E3A33
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E0A68 NtSetInformationThread,0_2_020E0A68
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3A88 NtWriteVirtualMemory,0_2_020E3A88
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E929D NtResumeThread,0_2_020E929D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9690 NtResumeThread,0_2_020E9690
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E96F6 NtResumeThread,0_2_020E96F6
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3718 NtWriteVirtualMemory,0_2_020E3718
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9314 NtResumeThread,0_2_020E9314
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3B33 NtWriteVirtualMemory,0_2_020E3B33
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9344 NtResumeThread,0_2_020E9344
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E975A NtResumeThread,0_2_020E975A
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E779D NtSetInformationThread,NtWriteVirtualMemory,0_2_020E779D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3BAF NtWriteVirtualMemory,0_2_020E3BAF
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E93AB NtResumeThread,0_2_020E93AB
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E4FBC NtSetInformationThread,0_2_020E4FBC
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3BFC NtWriteVirtualMemory,0_2_020E3BFC
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E1BF9 NtWriteVirtualMemory,0_2_020E1BF9
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E940C NtResumeThread,0_2_020E940C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9820 NtResumeThread,0_2_020E9820
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E384D NtWriteVirtualMemory,0_2_020E384D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9448 NtResumeThread,0_2_020E9448
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3445 NtSetInformationThread,0_2_020E3445
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3C5F NtWriteVirtualMemory,0_2_020E3C5F
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3C83 NtWriteVirtualMemory,0_2_020E3C83
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9883 NtResumeThread,0_2_020E9883
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E98AF NtResumeThread,0_2_020E98AF
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E38A3 NtWriteVirtualMemory,0_2_020E38A3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E94A3 NtResumeThread,0_2_020E94A3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E94D6 NtResumeThread,0_2_020E94D6
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3CEC NtWriteVirtualMemory,0_2_020E3CEC
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E38F1 NtWriteVirtualMemory,0_2_020E38F1
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E4D0C NtSetInformationThread,0_2_020E4D0C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E990C NtResumeThread,0_2_020E990C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9511 NtResumeThread,0_2_020E9511
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9133 NtResumeThread,0_2_020E9133
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E3D4C NtWriteVirtualMemory,0_2_020E3D4C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9547 NtResumeThread,0_2_020E9547
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9157 NtResumeThread,0_2_020E9157
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E396F NtWriteVirtualMemory,0_2_020E396F
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E096D NtSetInformationThread,0_2_020E096D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E096B NtSetInformationThread,0_2_020E096B
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E6566 NtWriteVirtualMemory,0_2_020E6566
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E398C NtWriteVirtualMemory,0_2_020E398C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E7D99 NtWriteVirtualMemory,0_2_020E7D99
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E9193 NtResumeThread,0_2_020E9193
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E91B4 NtResumeThread,0_2_020E91B4
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E09C5 NtSetInformationThread,0_2_020E09C5
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E39D4 NtWriteVirtualMemory,0_2_020E39D4
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E61E3 NtWriteVirtualMemory,0_2_020E61E3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E95E3 NtResumeThread,0_2_020E95E3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_020E91F7 NtResumeThread,0_2_020E91F7
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9A20 NtResumeThread,LdrInitializeThunk,1_2_1E3E9A20
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_1E3E9A00
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_1E3E9660
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9A50 NtCreateFile,LdrInitializeThunk,1_2_1E3E9A50
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_1E3E96E0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9710 NtQueryInformationToken,LdrInitializeThunk,1_2_1E3E9710
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_1E3E97A0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9780 NtMapViewOfSection,LdrInitializeThunk,1_2_1E3E9780
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_1E3E9860
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9840 NtDelayExecution,LdrInitializeThunk,1_2_1E3E9840
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_1E3E98F0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_1E3E9910
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9540 NtReadFile,LdrInitializeThunk,1_2_1E3E9540
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E99A0 NtCreateSection,LdrInitializeThunk,1_2_1E3E99A0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E95D0 NtClose,LdrInitializeThunk,1_2_1E3E95D0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9610 NtEnumerateValueKey,1_2_1E3E9610
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9A10 NtQuerySection,1_2_1E3E9A10
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9670 NtQueryInformationProcess,1_2_1E3E9670
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9650 NtQueryValueKey,1_2_1E3E9650
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9A80 NtOpenDirectoryObject,1_2_1E3E9A80
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E96D0 NtCreateKey,1_2_1E3E96D0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9730 NtQueryVirtualMemory,1_2_1E3E9730
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3EA710 NtOpenProcessToken,1_2_1E3EA710
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9B00 NtSetValueKey,1_2_1E3E9B00
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9770 NtSetInformationFile,1_2_1E3E9770
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3EA770 NtOpenThread,1_2_1E3EA770
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9760 NtOpenProcess,1_2_1E3E9760
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3EA3B0 NtGetContextThread,1_2_1E3EA3B0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9FE0 NtCreateMutant,1_2_1E3E9FE0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9820 NtEnumerateKey,1_2_1E3E9820
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3EB040 NtSuspendThread,1_2_1E3EB040
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E98A0 NtWriteVirtualMemory,1_2_1E3E98A0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3EAD30 NtSetContextThread,1_2_1E3EAD30
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9520 NtWaitForSingleObject,1_2_1E3E9520
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9560 NtWriteFile,1_2_1E3E9560
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E9950 NtQueueApcThread,1_2_1E3E9950
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E95F0 NtQueryInformationFile,1_2_1E3E95F0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3E99D0 NtCreateProcessEx,1_2_1E3E99D0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00568C6B NtProtectVirtualMemory,1_2_00568C6B
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569102 NtSetInformationThread,1_2_00569102
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00564533 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00564533
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056325E CreateThread,TerminateThread,LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056325E
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056332B RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056332B
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005643A5 Sleep,NtProtectVirtualMemory,1_2_005643A5
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00563447 NtProtectVirtualMemory,1_2_00563447
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569448 NtSetInformationThread,1_2_00569448
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056447A NtProtectVirtualMemory,1_2_0056447A
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056940C NtSetInformationThread,1_2_0056940C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569820 NtSetInformationThread,1_2_00569820
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005694D6 NtSetInformationThread,1_2_005694D6
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00564483 NtProtectVirtualMemory,1_2_00564483
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569883 NtSetInformationThread,1_2_00569883
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005694A3 NtSetInformationThread,1_2_005694A3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005698AF NtSetInformationThread,1_2_005698AF
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569157 NtSetInformationThread,1_2_00569157
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569547 NtSetInformationThread,1_2_00569547
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056154F NtProtectVirtualMemory,1_2_0056154F
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056154A NtProtectVirtualMemory,1_2_0056154A
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00561514 NtProtectVirtualMemory,1_2_00561514
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569511 NtSetInformationThread,1_2_00569511
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056990C NtSetInformationThread,1_2_0056990C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569133 NtSetInformationThread,1_2_00569133
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00564538 LdrInitializeThunk,NtProtectVirtualMemory,1_2_00564538
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056452B LdrInitializeThunk,NtProtectVirtualMemory,1_2_0056452B
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005645D0 LdrInitializeThunk,NtProtectVirtualMemory,1_2_005645D0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005691F7 NtSetInformationThread,1_2_005691F7
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005695E3 NtSetInformationThread,1_2_005695E3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569193 NtSetInformationThread,1_2_00569193
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005691B4 NtSetInformationThread,1_2_005691B4
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00564668 NtProtectVirtualMemory,1_2_00564668
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056461C NtProtectVirtualMemory,1_2_0056461C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569207 NtSetInformationThread,1_2_00569207
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569624 NtSetInformationThread,1_2_00569624
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005696F6 NtSetInformationThread,1_2_005696F6
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005632FC LdrInitializeThunk,NtProtectVirtualMemory,1_2_005632FC
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569690 NtSetInformationThread,1_2_00569690
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056929D NtSetInformationThread,1_2_0056929D
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0056975A NtSetInformationThread,1_2_0056975A
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569344 NtSetInformationThread,1_2_00569344
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00563340 NtProtectVirtualMemory,1_2_00563340
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00569314 NtSetInformationThread,1_2_00569314
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005633ED NtProtectVirtualMemory,1_2_005633ED
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005633A3 NtProtectVirtualMemory,1_2_005633A3
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_005693AB NtSetInformationThread,1_2_005693AB
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39860 NtQuerySystemInformation,LdrInitializeThunk,14_2_00F39860
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39840 NtDelayExecution,LdrInitializeThunk,14_2_00F39840
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F399A0 NtCreateSection,LdrInitializeThunk,14_2_00F399A0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_00F39910
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39A50 NtCreateFile,LdrInitializeThunk,14_2_00F39A50
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F395D0 NtClose,LdrInitializeThunk,14_2_00F395D0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39540 NtReadFile,LdrInitializeThunk,14_2_00F39540
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F396E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_00F396E0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F396D0 NtCreateKey,LdrInitializeThunk,14_2_00F396D0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39FE0 NtCreateMutant,LdrInitializeThunk,14_2_00F39FE0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39780 NtMapViewOfSection,LdrInitializeThunk,14_2_00F39780
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39710 NtQueryInformationToken,LdrInitializeThunk,14_2_00F39710
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F398F0 NtReadVirtualMemory,14_2_00F398F0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F398A0 NtWriteVirtualMemory,14_2_00F398A0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F3B040 NtSuspendThread,14_2_00F3B040
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39820 NtEnumerateKey,14_2_00F39820
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F399D0 NtCreateProcessEx,14_2_00F399D0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39950 NtQueueApcThread,14_2_00F39950
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39A80 NtOpenDirectoryObject,14_2_00F39A80
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39A20 NtResumeThread,14_2_00F39A20
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39A10 NtQuerySection,14_2_00F39A10
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39A00 NtProtectVirtualMemory,14_2_00F39A00
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F3A3B0 NtGetContextThread,14_2_00F3A3B0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39B00 NtSetValueKey,14_2_00F39B00
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F395F0 NtQueryInformationFile,14_2_00F395F0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39560 NtWriteFile,14_2_00F39560
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F3AD30 NtSetContextThread,14_2_00F3AD30
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39520 NtWaitForSingleObject,14_2_00F39520
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39670 NtQueryInformationProcess,14_2_00F39670
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39660 NtAllocateVirtualMemory,14_2_00F39660
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39650 NtQueryValueKey,14_2_00F39650
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39610 NtEnumerateValueKey,14_2_00F39610
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F397A0 NtUnmapViewOfSection,14_2_00F397A0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F3A770 NtOpenThread,14_2_00F3A770
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39770 NtSetInformationFile,14_2_00F39770
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39760 NtOpenProcess,14_2_00F39760
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F39730 NtQueryVirtualMemory,14_2_00F39730
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F3A710 NtOpenProcessToken,14_2_00F3A710
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00569D40 NtCreateFile,14_2_00569D40
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00569DF0 NtReadFile,14_2_00569DF0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00569E70 NtClose,14_2_00569E70
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00569D3B NtCreateFile,14_2_00569D3B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00569E6A NtClose,14_2_00569E6A
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_00402F8C0_2_00402F8C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_00402F8C0_2_00402F8C
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3C6E301_2_1E3C6E30
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E472EF71_2_1E472EF7
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E4722AE1_2_1E4722AE
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E472B281_2_1E472B28
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3DEBB01_2_1E3DEBB0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E46DBD21_2_1E46DBD2
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E471FF11_2_1E471FF1
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3B841F1_2_1E3B841F
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E4610021_2_1E461002
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3D20A01_2_1E3D20A0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3BB0901_2_1E3BB090
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E4728EC1_2_1E4728EC
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E4720A81_2_1E4720A8
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E471D551_2_1E471D55
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3A0D201_2_1E3A0D20
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3C41201_2_1E3C4120
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3AF9001_2_1E3AF900
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E472D071_2_1E472D07
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E4725DD1_2_1E4725DD
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3D25811_2_1E3D2581
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3BD5E01_2_1E3BD5E0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_000698621_2_00069862
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_000610691_2_00061069
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_000610721_2_00061072
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00062CEC1_2_00062CEC
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00062CF21_2_00062CF2
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_000681321_2_00068132
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0006AA321_2_0006AA32
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00065B1F1_2_00065B1F
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00065B221_2_00065B22
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FC28EC14_2_00FC28EC
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F220A014_2_00F220A0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FC20A814_2_00FC20A8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F0B09014_2_00F0B090
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FB100214_2_00FB1002
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F1412014_2_00F14120
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00EFF90014_2_00EFF900
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FC22AE14_2_00FC22AE
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FBDBD214_2_00FBDBD2
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F2EBB014_2_00F2EBB0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FC2B2814_2_00FC2B28
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FBD46614_2_00FBD466
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F0841F14_2_00F0841F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F0D5E014_2_00F0D5E0
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FC25DD14_2_00FC25DD
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F2258114_2_00F22581
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FC1D5514_2_00FC1D55
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00EF0D2014_2_00EF0D20
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FC2D0714_2_00FC2D07
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FC2EF714_2_00FC2EF7
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F16E3014_2_00F16E30
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FBD61614_2_00FBD616
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00FC1FF114_2_00FC1FF1
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_0056DB7D14_2_0056DB7D
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00552D9014_2_00552D90
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00552D8914_2_00552D89
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00559E4014_2_00559E40
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00559E3B14_2_00559E3B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_0056DFC914_2_0056DFC9
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00552FB014_2_00552FB0
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: String function: 1E3AB150 appears 35 times
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 00EFB150 appears 35 times
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: String function: 1E3AB150 appears 35 times
      Source: RFQ MOLD6312701 2K Modification.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: RFQ MOLD6312701 2K Modification.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: RFQ MOLD6312701 2K Modification.exe, 00000000.00000000.667277911.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNonexportable.exe vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000000.00000002.688420914.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000003.819339559.000000000099C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.823746841.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000000.687207989.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNonexportable.exe vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.825939168.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.823775813.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exeBinary or memory string: OriginalFilenameNonexportable.exe vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000000.00000000.667277911.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNonexportable.exe vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000000.00000002.688420914.00000000020A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000003.819339559.000000000099C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.823746841.000000001DDA0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000000.687207989.0000000000411000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNonexportable.exe vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.825939168.000000001E62F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.823775813.000000001DEF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs RFQ MOLD6312701 2K Modification.exe
      Source: RFQ MOLD6312701 2K Modification.exeBinary or memory string: OriginalFilenameNonexportable.exe vs RFQ MOLD6312701 2K Modification.exe
      Source: 0000000E.00000002.931927012.0000000000AA1000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.932724238.00000000034FF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.931927012.0000000000AA1000.00000004.00000020.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.931845457.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.931749733.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.824195915.000000001E150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 00000001.00000002.820005196.00000000000A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
      Source: 0000000E.00000002.931464417.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.932724238.00000000034FF000.00000004.00000001.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.rans.troj.spyw.evad.winEXE@7/0@3/2
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6864:120:WilError_01
      Source: RFQ MOLD6312701 2K Modification.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: RFQ MOLD6312701 2K Modification.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: RFQ MOLD6312701 2K Modification.exeVirustotal: Detection: 20%
      Source: RFQ MOLD6312701 2K Modification.exeVirustotal: Detection: 20%
      Source: unknownProcess created: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeProcess created: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe'Jump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe'
      Source: unknownProcess created: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeProcess created: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe' Jump to behavior
      Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exe'Jump to behavior
      Source: Binary string: ipconfig.pdb source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820025774.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: ipconfig.pdbGCTL source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820025774.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000002.941840567.0000000005A00000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.825584214.000000001E380000.00000040.00000001.sdmp, ipconfig.exe, 0000000E.00000002.932303690.0000000000FEF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: RFQ MOLD6312701 2K Modification.exe, ipconfig.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000002.941840567.0000000005A00000.00000002.00000001.sdmp
      Source: Binary string: ipconfig.pdb source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820025774.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: ipconfig.pdbGCTL source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.820025774.00000000000D0000.00000040.00000001.sdmp
      Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000002.941840567.0000000005A00000.00000002.00000001.sdmp
      Source: Binary string: wntdll.pdbUGP source: RFQ MOLD6312701 2K Modification.exe, 00000001.00000002.825584214.000000001E380000.00000040.00000001.sdmp, ipconfig.exe, 0000000E.00000002.932303690.0000000000FEF000.00000040.00000001.sdmp
      Source: Binary string: wntdll.pdb source: RFQ MOLD6312701 2K Modification.exe, ipconfig.exe
      Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000002.941840567.0000000005A00000.00000002.00000001.sdmp

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: RFQ MOLD6312701 2K Modification.exe PID: 6036, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RFQ MOLD6312701 2K Modification.exe PID: 1320, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: RFQ MOLD6312701 2K Modification.exe PID: 6036, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: RFQ MOLD6312701 2K Modification.exe PID: 1320, type: MEMORY
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_0040E5EA push eax; ret 0_2_0040E629
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 0_2_0040E5EA push eax; ret 0_2_0040E629
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_1E3FD0D1 push ecx; ret 1_2_1E3FD0E4
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_0006E3E6 pushad ; ret 1_2_0006E3E7
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00565AA7 push ds; ret 1_2_00565AA8
      Source: C:\Users\user\Desktop\RFQ MOLD6312701 2K Modification.exeCode function: 1_2_00565BA7 push ds; ret 1_2_00565BA8
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00F4D0D1 push ecx; ret 14_2_00F4D0E4
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_0056705B push esi; ret 14_2_0056705C
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00566989 push edi; retf 14_2_0056698F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00567C5E push esi; iretd 14_2_00567C5F
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00567D40 push eax; ret 14_2_00567D41
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00566679 push ebp; retf 14_2_0056667A
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_0056AE79 push ebx; ret 14_2_0056AE7D
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_00569666 push ss; iretd 14_2_0056966B
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_0056BE12 push ebp; ret 14_2_0056BE15
      Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 14_2_0056CEE2 push eax; ret 14_2_0056CEE8
      Source: C:\Windows