Loading ...

Play interactive tourEdit tour

Analysis Report JAAkR51fQY.exe

Overview

General Information

Sample Name:JAAkR51fQY.exe
Analysis ID:339314
MD5:1dd3dda596f5391bb865683fa49b531e
SHA1:37eab36b9caabc5e1d55086da5c46bc50b012fca
SHA256:2abb16d594f4b36fc8b8aab8cab7736350421c619cec8e12e8975e87f7a99faa
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • JAAkR51fQY.exe (PID: 2204 cmdline: 'C:\Users\user\Desktop\JAAkR51fQY.exe' MD5: 1DD3DDA596F5391BB865683FA49B531E)
    • schtasks.exe (PID: 6008 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zLIpEDZOH' /XML 'C:\Users\user\AppData\Local\Temp\tmp8416.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vbc.exe (PID: 4144 cmdline: {path} MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 2412 cmdline: {path} MD5: B3A917344F5610BEEC562556F11300FA)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 4768 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6228 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "slgacha.com", "oohdough.com", "6983ylc.com", "aykassociate.com", "latin-hotspot.com", "starrockindia.com", "beamsubway.com", "queensboutique1000.com", "madbaddie.com", "bhoomimart.com", "ankitparivar.com", "aldanasanchezmx.com", "citest1597669833.com", "cristianofreitas.com", "myplantus.com", "counterfeitmilk.com", "8xf39.com", "pregnantwomens.com", "yyyut6.com", "stnanguo.com", "fessusesefsee.com", "logansshop.net", "familydalmatianhomes.com", "accessible.legal", "epicmassiveconcepts.com", "indianfactopedia.com", "exit-divorce.com", "colliapse.com", "nosishop.com", "hayat-aljowaily.com", "soundon.events", "previnacovid19-br.com", "traptlongview.com", "splendidhotelspa.com", "masterzushop.com", "ednevents.com", "studentdividers.com", "treningi-enduro.com", "hostingcoaster.com", "gourmetgroceriesfast.com", "thesouthbeachlife.com", "teemergin.com", "fixmygearfast.com", "arb-invest.com", "shemaledreamz.com", "1819apparel.com", "thedigitalsatyam.com", "alparmuhendislik.com", "distinctmusicproductions.com", "procreditexpert.com", "insights4innovation.com", "jzbtl.com", "1033325.com", "sorteocamper.info", "scheherazadelegault.com", "glowportraiture.com", "cleitstaapps.com", "globepublishers.com", "stattests.com", "brainandbodystrengthcoach.com", "magenx2.info", "escaparati.com", "wood-decor24.com", "travelnetafrica.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.herbmedia.net/csv8/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x166b9:$sqlite3step: 68 34 1C 7B E1
      • 0x167cc:$sqlite3step: 68 34 1C 7B E1
      • 0x166e8:$sqlite3text: 68 38 2A 90 C5
      • 0x1680d:$sqlite3text: 68 38 2A 90 C5
      • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
      00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 18 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.2.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x158b9:$sqlite3step: 68 34 1C 7B E1
          • 0x159cc:$sqlite3step: 68 34 1C 7B E1
          • 0x158e8:$sqlite3text: 68 38 2A 90 C5
          • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
          • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
          4.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            4.2.vbc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zLIpEDZOH' /XML 'C:\Users\user\AppData\Local\Temp\tmp8416.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zLIpEDZOH' /XML 'C:\Users\user\AppData\Local\Temp\tmp8416.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\JAAkR51fQY.exe' , ParentImage: C:\Users\user\Desktop\JAAkR51fQY.exe, ParentProcessId: 2204, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\zLIpEDZOH' /XML 'C:\Users\user\AppData\Local\Temp\tmp8416.tmp', ProcessId: 6008

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus detection for URL or domainShow sources
            Source: http://www.yyyut6.com/csv8/www.alparmuhendislik.comAvira URL Cloud: Label: phishing
            Source: http://www.yyyut6.comAvira URL Cloud: Label: phishing
            Source: http://www.yyyut6.com/csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyfAvira URL Cloud: Label: phishing
            Source: http://www.yyyut6.com/csv8/Avira URL Cloud: Label: phishing
            Found malware configurationShow sources
            Source: 4.2.vbc.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\zLIpEDZOH.exeReversingLabs: Detection: 31%
            Multi AV Scanner detection for submitted fileShow sources
            Source: JAAkR51fQY.exeVirustotal: Detection: 31%Perma Link
            Source: JAAkR51fQY.exeReversingLabs: Detection: 31%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\zLIpEDZOH.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: JAAkR51fQY.exeJoe Sandbox ML: detected
            Source: 0.2.JAAkR51fQY.exe.6d0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2
            Source: 4.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeUnpacked PE file: 0.2.JAAkR51fQY.exe.6d0000.0.unpack
            Source: JAAkR51fQY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: JAAkR51fQY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000004.00000002.269880810.00000000057AF000.00000040.00000001.sdmp, wlanext.exe, 0000000A.00000002.587511214.0000000002E60000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: vbc.exe, wlanext.exe
            Source: Binary string: wlanext.pdb source: vbc.exe, 00000004.00000002.269706677.0000000005660000.00000040.00000001.sdmp
            Source: Binary string: vbc.pdb source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmp
            Source: Binary string: wlanext.pdbGCTL source: vbc.exe, 00000004.00000002.269706677.0000000005660000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 4x nop then jmp 07922DADh0_2_07922D38
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 4x nop then jmp 07922DADh0_2_07922D2A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop ebx4_2_00406A94
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop edi4_2_0040C3D7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop edi4_2_0040C3AE
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop ebx10_2_00706A96
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi10_2_0070C3D7
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi10_2_0070C3AE

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 99.83.185.45:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 99.83.185.45:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49736 -> 99.83.185.45:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 104.21.13.175:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 104.21.13.175:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 104.21.13.175:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49759 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49759 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49759 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 99.83.185.45:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 99.83.185.45:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 99.83.185.45:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 104.21.13.175:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 104.21.13.175:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 104.21.13.175:80
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUFHPRBURpw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.colliapse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=Vx5DYRfwQ2epFb7A1EFDXiUpfmaHAUA5hBGztbTHqIjku20m3oo4TlvQkKcY2MtY2Zvt&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.masterzushop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=9kzRsbxjodB183f+254XmaaPYHqImudbPq/bqqkJnFvk55YE4DuWwUiPiLBFKkj0LF/s&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.aldanasanchezmx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=wz9bsKZezgylXE2xySv04yz/UXtzAnP44BanueQcObrBh8vQr+0W6/ezJrtA4EzaB/eD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.bhoomimart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.yyyut6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODxivVfv92N&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.globepublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=SPYfUtJhDLYzT/ro+iJTgsw3x4bzIhIKNu8aW1ARl1xXF5uYI7qDVxucqZEX6pWizqEA&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.thedigitalsatyam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=0hV2NfdVjmx+yfQvTLszaaA4nyOLrpeuP9TqtJZz9egJMD1sBqTfWGO8dwDzLIh3ahLd&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.scheherazadelegault.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=JcDbJrKBTdSh2qrV/QHXhZH9/vCGpAjnUxGYv0DqxJ8xNpceyS+NtrlgJ2Ns4M+VWFGw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.starrockindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUFHPRBURpw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.colliapse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=Vx5DYRfwQ2epFb7A1EFDXiUpfmaHAUA5hBGztbTHqIjku20m3oo4TlvQkKcY2MtY2Zvt&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.masterzushop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=9kzRsbxjodB183f+254XmaaPYHqImudbPq/bqqkJnFvk55YE4DuWwUiPiLBFKkj0LF/s&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.aldanasanchezmx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=wz9bsKZezgylXE2xySv04yz/UXtzAnP44BanueQcObrBh8vQr+0W6/ezJrtA4EzaB/eD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.bhoomimart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.yyyut6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODxivVfv92N&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.globepublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=SPYfUtJhDLYzT/ro+iJTgsw3x4bzIhIKNu8aW1ARl1xXF5uYI7qDVxucqZEX6pWizqEA&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.thedigitalsatyam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=0hV2NfdVjmx+yfQvTLszaaA4nyOLrpeuP9TqtJZz9egJMD1sBqTfWGO8dwDzLIh3ahLd&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.scheherazadelegault.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=JcDbJrKBTdSh2qrV/QHXhZH9/vCGpAjnUxGYv0DqxJ8xNpceyS+NtrlgJ2Ns4M+VWFGw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.starrockindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
            Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
            Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
            Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUFHPRBURpw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.colliapse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=Vx5DYRfwQ2epFb7A1EFDXiUpfmaHAUA5hBGztbTHqIjku20m3oo4TlvQkKcY2MtY2Zvt&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.masterzushop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=9kzRsbxjodB183f+254XmaaPYHqImudbPq/bqqkJnFvk55YE4DuWwUiPiLBFKkj0LF/s&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.aldanasanchezmx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=wz9bsKZezgylXE2xySv04yz/UXtzAnP44BanueQcObrBh8vQr+0W6/ezJrtA4EzaB/eD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.bhoomimart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.yyyut6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODxivVfv92N&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.globepublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=SPYfUtJhDLYzT/ro+iJTgsw3x4bzIhIKNu8aW1ARl1xXF5uYI7qDVxucqZEX6pWizqEA&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.thedigitalsatyam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=0hV2NfdVjmx+yfQvTLszaaA4nyOLrpeuP9TqtJZz9egJMD1sBqTfWGO8dwDzLIh3ahLd&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.scheherazadelegault.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=JcDbJrKBTdSh2qrV/QHXhZH9/vCGpAjnUxGYv0DqxJ8xNpceyS+NtrlgJ2Ns4M+VWFGw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.starrockindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=Z54U04wqGI300YwketVjcixyHBr4HpwtQE6vF0nldb1Lz0z4UH78CnHRphUFHPRBURpw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.colliapse.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=Vx5DYRfwQ2epFb7A1EFDXiUpfmaHAUA5hBGztbTHqIjku20m3oo4TlvQkKcY2MtY2Zvt&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.masterzushop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=9kzRsbxjodB183f+254XmaaPYHqImudbPq/bqqkJnFvk55YE4DuWwUiPiLBFKkj0LF/s&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.aldanasanchezmx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=wz9bsKZezgylXE2xySv04yz/UXtzAnP44BanueQcObrBh8vQr+0W6/ezJrtA4EzaB/eD&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.bhoomimart.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=XH4K2dDF2Z84HBPAGb7BC8YK+Vs0QVFZSQgY+MY/R5kdga2e+ACccNk2g5CQED5lfKqn&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.yyyut6.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=QLtdsMlXP7ZQlvjWT7fAeOzLoSV1+fXm7wWs73uECgmLouwXj2mCPN/rnODxivVfv92N&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.globepublishers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=SPYfUtJhDLYzT/ro+iJTgsw3x4bzIhIKNu8aW1ARl1xXF5uYI7qDVxucqZEX6pWizqEA&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.thedigitalsatyam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=0hV2NfdVjmx+yfQvTLszaaA4nyOLrpeuP9TqtJZz9egJMD1sBqTfWGO8dwDzLIh3ahLd&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.scheherazadelegault.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /csv8/?EZUXxJ=JcDbJrKBTdSh2qrV/QHXhZH9/vCGpAjnUxGYv0DqxJ8xNpceyS+NtrlgJ2Ns4M+VWFGw&DzrLH=VBZHYDrxndGXyf HTTP/1.1Host: www.starrockindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.colliapse.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 NOT FOUNDServer: nginxDate: Wed, 13 Jan 2021 19:53:41 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINContent-Language: es-mxVary: Accept-Language, CookieData Raw: 64 37 61 0d 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 0a 20 20 3c 68 65 61 64 3e 0a 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 22 3e 0a 0a 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 41 6c 64 61 6e 61 20 53 c3 a1 6e 63 68 65 7a 20 2d 20 49 6e 67 65 6e 69 65 72 6f 73 20 41 72 71 75 69 74 65 63 74 6f 73 20 7c 20 41 72 71 75 69 74 65 63 74 6f 73 20 65 6e 20 43 65 6e 74 72 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 69 74 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 64 61 6e 61 20 53 c3 a1 6e 63 68 65 7a 20 2d 20 49 6e 67 65 6e 69 65 72 6f 73 20 41 72 71 75 69 74 65 63 74 6f 73 20 7c 20 41 72 71 75 69 74 65 63 74 6f 73 20 65 6e 20 43 65 6e 74 72 6f 22 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 61 75 74 68 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 41 6c 64 61 6e 61 20 53 c3 a1 6e 63 68 65 7a 20 2d 20 49 6e 67 65 6e 69 65 72 6f 73 20 41 72 71 75 69 74 65 63 74 6f 73 22 3e 0a 20 20 20 20 20 20 0a 20 20 20 20 0a 20 20 20 20 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 67 6f 6f 67 6c 65 62 6f 74 22 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 73 74 61 74 69 63 2f 6e 65 77 5f 74 65 6d 70 6c 61 74 65 73 2f 69 6d 67 2f 79 65 6c 6c 6f 77 2f 77 65 62 70 72 6f 2e 69 63 6f 22 3e 0a 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 61 6c 65 77 61 79 3a 33 30 30 2c 34 30 30 2c 35 30 30 2c 36 30 30 2c 37 30 30 2c 38 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63
            Source: explorer.exe, 00000005.00000000.257657621.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: JAAkR51fQY.exe, 00000000.00000002.228844270.0000000002BF2000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.aldanasanchezmx.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.aldanasanchezmx.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.aldanasanchezmx.com/csv8/www.bhoomimart.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.aldanasanchezmx.comReferer:
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.alparmuhendislik.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.alparmuhendislik.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.alparmuhendislik.com/csv8/www.latin-hotspot.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.alparmuhendislik.comReferer:
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.ankitparivar.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.ankitparivar.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.ankitparivar.comReferer:
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.bhoomimart.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.bhoomimart.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.bhoomimart.com/csv8/www.yyyut6.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.bhoomimart.comReferer:
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.colliapse.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.colliapse.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.colliapse.com/csv8/www.masterzushop.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.colliapse.comReferer:
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.epicmassiveconcepts.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.epicmassiveconcepts.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.epicmassiveconcepts.com/csv8/www.magenx2.info
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.epicmassiveconcepts.comReferer:
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: JAAkR51fQY.exe, 00000000.00000003.227413251.0000000007E45000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comK
            Source: JAAkR51fQY.exe, 00000000.00000003.227413251.0000000007E45000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comasva
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: JAAkR51fQY.exe, 00000000.00000003.205857658.0000000007E52000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: JAAkR51fQY.exe, 00000000.00000003.205857658.0000000007E52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnh
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.globepublishers.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.globepublishers.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.globepublishers.com/csv8/www.thedigitalsatyam.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.globepublishers.comReferer:
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.herbmedia.net
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.herbmedia.net/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.herbmedia.net/csv8/www.scheherazadelegault.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.herbmedia.netReferer:
            Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp, JAAkR51fQY.exe, 00000000.00000003.206667781.0000000007E43000.00000004.00000001.sdmp, JAAkR51fQY.exe, 00000000.00000003.207211285.0000000007E49000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/-cz
            Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/.
            Source: JAAkR51fQY.exe, 00000000.00000003.206667781.0000000007E43000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//e
            Source: JAAkR51fQY.exe, 00000000.00000003.207211285.0000000007E49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y
            Source: JAAkR51fQY.exe, 00000000.00000003.207211285.0000000007E49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0e
            Source: JAAkR51fQY.exe, 00000000.00000003.207061983.0000000007E47000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0onY
            Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
            Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmp, JAAkR51fQY.exe, 00000000.00000003.207211285.0000000007E49000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/K
            Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s
            Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sDX
            Source: JAAkR51fQY.exe, 00000000.00000003.207420358.0000000007E4B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.latin-hotspot.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.latin-hotspot.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.latin-hotspot.com/csv8/www.globepublishers.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.latin-hotspot.comReferer:
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.magenx2.info
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.magenx2.info/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.magenx2.info/csv8/www.ankitparivar.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.magenx2.infoReferer:
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.masterzushop.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.masterzushop.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.masterzushop.com/csv8/www.aldanasanchezmx.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.masterzushop.comReferer:
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.scheherazadelegault.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.scheherazadelegault.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.scheherazadelegault.com/csv8/www.starrockindia.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.scheherazadelegault.comReferer:
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.starrockindia.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.starrockindia.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.starrockindia.com/csv8/www.studentdividers.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.starrockindia.comReferer:
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.studentdividers.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.studentdividers.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.studentdividers.com/csv8/www.epicmassiveconcepts.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.studentdividers.comReferer:
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.thedigitalsatyam.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.thedigitalsatyam.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.thedigitalsatyam.com/csv8/www.herbmedia.net
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.thedigitalsatyam.comReferer:
            Source: explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.yyyut6.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.yyyut6.com/csv8/
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.yyyut6.com/csv8/www.alparmuhendislik.com
            Source: explorer.exe, 00000005.00000003.549981020.00000000089D8000.00000004.00000001.sdmpString found in binary or memory: http://www.yyyut6.comReferer:
            Source: JAAkR51fQY.exe, 00000000.00000002.238883783.00000000090D2000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.253741249.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://cpanel.hostinger.com
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/hostinger/banners/master/hostinger_welcome/images/hostinger-dragon
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/hostinger/banners/master/hostinger_welcome/images/hostinger-logo.p
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtag/js?id=UA-26575989-44
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://www.hostinger.com/
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://www.hostinger.com/affiliate-program
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://www.hostinger.com/blog/
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://www.hostinger.com/knowledge-base
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://www.hostinger.com/make-money-online
            Source: wlanext.exe, 0000000A.00000002.592768859.0000000003647000.00000004.00000001.sdmpString found in binary or memory: https://www.hostinger.com/tutorials
            Source: JAAkR51fQY.exe, 00000000.00000002.228113773.0000000000EDA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004181C0 NtCreateFile,4_2_004181C0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00418270 NtReadFile,4_2_00418270
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004182F0 NtClose,4_2_004182F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004183A0 NtAllocateVirtualMemory,4_2_004183A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004181BA NtCreateFile,4_2_004181BA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041826A NtReadFile,4_2_0041826A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9540 NtReadFile,LdrInitializeThunk,4_2_056F9540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F95D0 NtClose,LdrInitializeThunk,4_2_056F95D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9710 NtQueryInformationToken,LdrInitializeThunk,4_2_056F9710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9FE0 NtCreateMutant,LdrInitializeThunk,4_2_056F9FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_056F97A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9780 NtMapViewOfSection,LdrInitializeThunk,4_2_056F9780
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_056F9660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_056F96E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_056F9910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F99A0 NtCreateSection,LdrInitializeThunk,4_2_056F99A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_056F9860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9840 NtDelayExecution,LdrInitializeThunk,4_2_056F9840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_056F98F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9A50 NtCreateFile,LdrInitializeThunk,4_2_056F9A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9A20 NtResumeThread,LdrInitializeThunk,4_2_056F9A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_056F9A00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9560 NtWriteFile,4_2_056F9560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9520 NtWaitForSingleObject,4_2_056F9520
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056FAD30 NtSetContextThread,4_2_056FAD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F95F0 NtQueryInformationFile,4_2_056F95F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9760 NtOpenProcess,4_2_056F9760
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9770 NtSetInformationFile,4_2_056F9770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056FA770 NtOpenThread,4_2_056FA770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9730 NtQueryVirtualMemory,4_2_056F9730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056FA710 NtOpenProcessToken,4_2_056FA710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9670 NtQueryInformationProcess,4_2_056F9670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9650 NtQueryValueKey,4_2_056F9650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9610 NtEnumerateValueKey,4_2_056F9610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F96D0 NtCreateKey,4_2_056F96D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9950 NtQueueApcThread,4_2_056F9950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F99D0 NtCreateProcessEx,4_2_056F99D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056FB040 NtSuspendThread,4_2_056FB040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9820 NtEnumerateKey,4_2_056F9820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F98A0 NtWriteVirtualMemory,4_2_056F98A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9B00 NtSetValueKey,4_2_056F9B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056FA3B0 NtGetContextThread,4_2_056FA3B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9A10 NtQuerySection,4_2_056F9A10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056F9A80 NtOpenDirectoryObject,4_2_056F9A80
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9A50 NtCreateFile,LdrInitializeThunk,10_2_02EC9A50
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9860 NtQuerySystemInformation,LdrInitializeThunk,10_2_02EC9860
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9840 NtDelayExecution,LdrInitializeThunk,10_2_02EC9840
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC99A0 NtCreateSection,LdrInitializeThunk,10_2_02EC99A0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_02EC9910
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC96E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_02EC96E0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC96D0 NtCreateKey,LdrInitializeThunk,10_2_02EC96D0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_02EC9660
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9650 NtQueryValueKey,LdrInitializeThunk,10_2_02EC9650
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9FE0 NtCreateMutant,LdrInitializeThunk,10_2_02EC9FE0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9780 NtMapViewOfSection,LdrInitializeThunk,10_2_02EC9780
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9710 NtQueryInformationToken,LdrInitializeThunk,10_2_02EC9710
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC95D0 NtClose,LdrInitializeThunk,10_2_02EC95D0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9540 NtReadFile,LdrInitializeThunk,10_2_02EC9540
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9A80 NtOpenDirectoryObject,10_2_02EC9A80
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9A20 NtResumeThread,10_2_02EC9A20
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9A00 NtProtectVirtualMemory,10_2_02EC9A00
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9A10 NtQuerySection,10_2_02EC9A10
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02ECA3B0 NtGetContextThread,10_2_02ECA3B0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9B00 NtSetValueKey,10_2_02EC9B00
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC98F0 NtReadVirtualMemory,10_2_02EC98F0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC98A0 NtWriteVirtualMemory,10_2_02EC98A0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02ECB040 NtSuspendThread,10_2_02ECB040
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9820 NtEnumerateKey,10_2_02EC9820
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC99D0 NtCreateProcessEx,10_2_02EC99D0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9950 NtQueueApcThread,10_2_02EC9950
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9670 NtQueryInformationProcess,10_2_02EC9670
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9610 NtEnumerateValueKey,10_2_02EC9610
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC97A0 NtUnmapViewOfSection,10_2_02EC97A0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9760 NtOpenProcess,10_2_02EC9760
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02ECA770 NtOpenThread,10_2_02ECA770
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9770 NtSetInformationFile,10_2_02EC9770
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9730 NtQueryVirtualMemory,10_2_02EC9730
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02ECA710 NtOpenProcessToken,10_2_02ECA710
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC95F0 NtQueryInformationFile,10_2_02EC95F0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9560 NtWriteFile,10_2_02EC9560
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EC9520 NtWaitForSingleObject,10_2_02EC9520
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02ECAD30 NtSetContextThread,10_2_02ECAD30
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_007181C0 NtCreateFile,10_2_007181C0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_00718270 NtReadFile,10_2_00718270
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_007182F0 NtClose,10_2_007182F0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_007183A0 NtAllocateVirtualMemory,10_2_007183A0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_007181BA NtCreateFile,10_2_007181BA
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_0071826A NtReadFile,10_2_0071826A
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011210680_2_01121068
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011222A00_2_011222A0
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011204E00_2_011204E0
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011218200_2_01121820
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011240480_2_01124048
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011210670_2_01121067
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011252080_2_01125208
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011222900_2_01122290
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011254400_2_01125440
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011256F00_2_011256F0
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011218110_2_01121811
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_011258E80_2_011258E8
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_01124BB00_2_01124BB0
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_0792158A0_2_0792158A
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_07922D380_2_07922D38
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_07922D2A0_2_07922D2A
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_09C4F2780_2_09C4F278
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_0A3B4BB80_2_0A3B4BB8
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeCode function: 0_2_0A3B1B710_2_0A3B1B71
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_004010304_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041B8A34_2_0041B8A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041C23F4_2_0041C23F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041C2AF4_2_0041C2AF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041C3DF4_2_0041C3DF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00408C604_2_00408C60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041CC134_2_0041CC13
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041B4A34_2_0041B4A3
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00402D904_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041BD9B4_2_0041BD9B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041BE604_2_0041BE60
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0041C6034_2_0041C603
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_00402FB04_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05781D554_2_05781D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056B0D204_2_056B0D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05782D074_2_05782D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056CD5E04_2_056CD5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_057825DD4_2_057825DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056E25814_2_056E2581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0577D4664_2_0577D466
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056C841F4_2_056C841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05781FF14_2_05781FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0578DFCE4_2_0578DFCE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056D6E304_2_056D6E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0577D6164_2_0577D616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05782EF74_2_05782EF7
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056D41204_2_056D4120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056BF9004_2_056BF900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056D99BF4_2_056D99BF
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0578E8244_2_0578E824
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056DA8304_2_056DA830
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_057710024_2_05771002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_057828EC4_2_057828EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056E20A04_2_056E20A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_057820A84_2_057820A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056CB0904_2_056CB090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056DAB404_2_056DAB40
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_05782B284_2_05782B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0577DBD24_2_0577DBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_057703DA4_2_057703DA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_056EEBB04_2_056EEBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_0576FA2B4_2_0576FA2B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4_2_057822AE4_2_057822AE
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F522AE10_2_02F522AE
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F3FA2B10_2_02F3FA2B
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F4DBD210_2_02F4DBD2
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F403DA10_2_02F403DA
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EBEBB010_2_02EBEBB0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EAAB4010_2_02EAAB40
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F52B2810_2_02F52B28
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F528EC10_2_02F528EC
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EB20A010_2_02EB20A0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F520A810_2_02F520A8
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02E9B09010_2_02E9B090
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F5E82410_2_02F5E824
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EAA83010_2_02EAA830
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F4100210_2_02F41002
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EA99BF10_2_02EA99BF
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EA412010_2_02EA4120
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02E8F90010_2_02E8F900
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F52EF710_2_02F52EF7
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EA6E3010_2_02EA6E30
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F4D61610_2_02F4D616
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F51FF110_2_02F51FF1
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F5DFCE10_2_02F5DFCE
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F4D46610_2_02F4D466
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02E9841F10_2_02E9841F
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02E9D5E010_2_02E9D5E0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F525DD10_2_02F525DD
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02EB258110_2_02EB2581
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F51D5510_2_02F51D55
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02E80D2010_2_02E80D20
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_02F52D0710_2_02F52D07
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_00708C6010_2_00708C60
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_0071CC1310_2_0071CC13
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_00702D9010_2_00702D90
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_0071C60310_2_0071C603
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 10_2_00702FB010_2_00702FB0
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\zLIpEDZOH.exe 2ABB16D594F4B36FC8B8AAB8CAB7736350421C619CEC8E12E8975E87F7A99FAA
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 02E8B150 appears 72 times
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 056BB150 appears 69 times
            Source: JAAkR51fQY.exeBinary or memory string: OriginalFilename vs JAAkR51fQY.exe
            Source: JAAkR51fQY.exe, 00000000.00000002.228381920.0000000002A91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs JAAkR51fQY.exe
            Source: JAAkR51fQY.exe, 00000000.00000000.201623771.00000000007D8000.00000002.00020000.sdmpBinary or memory string: OriginalFilename7 vs JAAkR51fQY.exe
            Source: JAAkR51fQY.exe, 00000000.00000002.241594476.0000000009BC0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs JAAkR51fQY.exe
            Source: JAAkR51fQY.exe, 00000000.00000002.239638081.0000000009810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs JAAkR51fQY.exe
            Source: JAAkR51fQY.exe, 00000000.00000002.228113773.0000000000EDA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs JAAkR51fQY.exe
            Source: JAAkR51fQY.exeBinary or memory string: OriginalFilename7 vs JAAkR51fQY.exe
            Source: JAAkR51fQY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.585911893.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.268975653.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.587186497.0000000002BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.269629188.0000000005610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000002.583664848.0000000000700000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000004.00000002.269603953.00000000055E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.230538128.000000000446C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 4.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: JAAkR51fQY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: zLIpEDZOH.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@12/3@20/11
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeFile created: C:\Users\user\AppData\Roaming\zLIpEDZOH.exeJump to behavior
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeMutant created: \Sessions\1\BaseNamedObjects\ClgKynUFvXeJiYbLYFNDwWt
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8416.tmpJump to behavior
            Source: JAAkR51fQY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\JAAkR51fQY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: JAAkR51fQY.exeVirustotal: Detection: 31%
            Source: JAAkR51fQY.exeReversingLabs: Detection: 31%