Loading ...

Play interactive tourEdit tour

Analysis Report 4pFzkB6ePK.exe

Overview

General Information

Sample Name:4pFzkB6ePK.exe
Analysis ID:356512
MD5:6dd83e20f43a9bd2e136fcd77131f7e4
SHA1:2d816c160bba20f5e3989af02985118e42a4fe70
SHA256:5babb878615fbf3b56008f4d7becccdb0a316e3eecb95ce99ea2a6c9d5a8a19a
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 4pFzkB6ePK.exe (PID: 6484 cmdline: 'C:\Users\user\Desktop\4pFzkB6ePK.exe' MD5: 6DD83E20F43A9BD2E136FCD77131F7E4)
    • 4pFzkB6ePK.exe (PID: 6880 cmdline: C:\Users\user\Desktop\4pFzkB6ePK.exe MD5: 6DD83E20F43A9BD2E136FCD77131F7E4)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 808 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6536 cmdline: /c del 'C:\Users\user\Desktop\4pFzkB6ePK.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.ntljcb.com/tub0/"], "decoy": ["playgeazie.com", "blessedmindset.net", "alejofaj.com", "electricbiketechnologes.com", "jmrrealestatellc.com", "alphafathers.com", "trinityhousegoa.com", "trainingrealestateagents.com", "esarpfabrikasi.com", "bookgallary.com", "centralpark-mca.net", "killthemessengermedia.com", "ayderthermal.com", "adsdito.com", "findmy-fmi.info", "1030aponiplace.com", "nachbau.net", "richtig-zuhause-lernen.com", "wuovcoizph.net", "avrplayground.com", "miamiimportca.com", "henrysmassey.com", "truthish.fyi", "serildaspeaks.com", "the-tagteam.com", "s-keer.com", "millersgreenacresfarm.com", "bodytruffle.com", "djtlp.com", "buystockswithcreditcard.com", "estevezcosmetics.com", "fsqlgt.com", "rochellparente.com", "elepope.com", "makiyato.com", "standoniner.com", "onemicandabunchofothers.com", "actranslate.com", "jewelstomorejewels.com", "xn--d1afwajbhp.site", "gogomarketing.xyz", "plietea.club", "carbon-foam.com", "gidanpacouture.com", "covidwatcharizona.com", "truvizi.com", "castleshortage.com", "afromesagroup.com", "specter.one", "mac-compost.com", "spicyfilm.com", "aslanforklift.com", "oka.one", "myjewely.com", "floridashooters.com", "2seamapparel.com", "europeanctosummit.com", "beyond-cultures.com", "cowbex.info", "amandawilsonfamilylaw.com", "whereisdalie.com", "statuniverse.com", "nobotsland.net", "dateatither.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x166a9:$sqlite3step: 68 34 1C 7B E1
      • 0x167bc:$sqlite3step: 68 34 1C 7B E1
      • 0x166d8:$sqlite3text: 68 38 2A 90 C5
      • 0x167fd:$sqlite3text: 68 38 2A 90 C5
      • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
      00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 18 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.4pFzkB6ePK.exe.26d4938.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x120ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x120e42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x1486f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x148a82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x12cb55:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x154795:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x12c641:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x154281:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x12cc57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x154897:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x12cdcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x154a0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x12185a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x14949a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x12b8bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x1534fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x1225d2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x14a212:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x131c47:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x159887:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x132cea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
            • 0x12eb79:$sqlite3step: 68 34 1C 7B E1
            • 0x12ec8c:$sqlite3step: 68 34 1C 7B E1
            • 0x1567b9:$sqlite3step: 68 34 1C 7B E1
            • 0x1568cc:$sqlite3step: 68 34 1C 7B E1
            • 0x12eba8:$sqlite3text: 68 38 2A 90 C5
            • 0x12eccd:$sqlite3text: 68 38 2A 90 C5
            • 0x1567e8:$sqlite3text: 68 38 2A 90 C5
            • 0x15690d:$sqlite3text: 68 38 2A 90 C5
            • 0x12ebbb:$sqlite3blob: 68 53 D8 7F 8C
            • 0x12ece3:$sqlite3blob: 68 53 D8 7F 8C
            • 0x1567fb:$sqlite3blob: 68 53 D8 7F 8C
            • 0x156923:$sqlite3blob: 68 53 D8 7F 8C
            5.2.4pFzkB6ePK.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              Click to see the 8 entries

              Sigma Overview

              No Sigma rule has matched

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.ntljcb.com/tub0/"], "decoy": ["playgeazie.com", "blessedmindset.net", "alejofaj.com", "electricbiketechnologes.com", "jmrrealestatellc.com", "alphafathers.com", "trinityhousegoa.com", "trainingrealestateagents.com", "esarpfabrikasi.com", "bookgallary.com", "centralpark-mca.net", "killthemessengermedia.com", "ayderthermal.com", "adsdito.com", "findmy-fmi.info", "1030aponiplace.com", "nachbau.net", "richtig-zuhause-lernen.com", "wuovcoizph.net", "avrplayground.com", "miamiimportca.com", "henrysmassey.com", "truthish.fyi", "serildaspeaks.com", "the-tagteam.com", "s-keer.com", "millersgreenacresfarm.com", "bodytruffle.com", "djtlp.com", "buystockswithcreditcard.com", "estevezcosmetics.com", "fsqlgt.com", "rochellparente.com", "elepope.com", "makiyato.com", "standoniner.com", "onemicandabunchofothers.com", "actranslate.com", "jewelstomorejewels.com", "xn--d1afwajbhp.site", "gogomarketing.xyz", "plietea.club", "carbon-foam.com", "gidanpacouture.com", "covidwatcharizona.com", "truvizi.com", "castleshortage.com", "afromesagroup.com", "specter.one", "mac-compost.com", "spicyfilm.com", "aslanforklift.com", "oka.one", "myjewely.com", "floridashooters.com", "2seamapparel.com", "europeanctosummit.com", "beyond-cultures.com", "cowbex.info", "amandawilsonfamilylaw.com", "whereisdalie.com", "statuniverse.com", "nobotsland.net", "dateatither.com"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 4pFzkB6ePK.exeVirustotal: Detection: 22%Perma Link
              Source: 4pFzkB6ePK.exeReversingLabs: Detection: 27%
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE
              Machine Learning detection for sampleShow sources
              Source: 4pFzkB6ePK.exeJoe Sandbox ML: detected
              Source: 5.2.4pFzkB6ePK.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

              Compliance:

              barindex
              Uses 32bit PE filesShow sources
              Source: 4pFzkB6ePK.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
              Source: 4pFzkB6ePK.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Binary contains paths to debug symbolsShow sources
              Source: Binary string: msiexec.pdb source: 4pFzkB6ePK.exe, 00000005.00000002.285616427.0000000001678000.00000004.00000020.sdmp
              Source: Binary string: msiexec.pdbGCTL source: 4pFzkB6ePK.exe, 00000005.00000002.285616427.0000000001678000.00000004.00000020.sdmp
              Source: Binary string: wntdll.pdbUGP source: 4pFzkB6ePK.exe, 00000005.00000002.285884616.0000000001A2F000.00000040.00000001.sdmp, msiexec.exe, 0000000B.00000002.475468589.0000000004BD0000.00000040.00000001.sdmp
              Source: Binary string: wntdll.pdb source: 4pFzkB6ePK.exe, msiexec.exe
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 4x nop then pop esi5_2_0041582E
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 4x nop then pop edi5_2_004162A0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 4x nop then pop edi5_2_0040C3DC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi11_2_00CE582E
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi11_2_00CE62A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi11_2_00CDC3DC

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 160.153.128.38:80
              Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 160.153.128.38:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49733 -> 160.153.128.38:80
              Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 194.59.164.91:80
              Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 194.59.164.91:80
              Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49740 -> 194.59.164.91:80
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: www.ntljcb.com/tub0/
              Source: global trafficHTTP traffic detected: GET /tub0/?0T0hlT=cydGkSUU+hbxwnLMCHdxs2HTbhyeOBhf6VDIiN7OyAb+9b2I/6QPcL+NYbrcHhStME+j&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.nachbau.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /tub0/?0T0hlT=0g3BJlW7sTphQ/5j4Tdr5dYYoDFSx+aDomq4rDoP20bT0mosHTIKHGclLGRJ8AP1BBBd&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.carbon-foam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /tub0/?0T0hlT=Oc9Sv6ZsHiz1lEkHjT4sUkzXc6kK6TfJoTMn/p3mX09SqIZJtOPjrYy4Z3tQQ5aTicNK&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.aslanforklift.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /tub0/?0T0hlT=dN2zk3vDrvOSMWpoBKxdiHLfh4G+CBzvqQ9gZV3x5lRoIc3e6NmSOgfKn1bO4v69I6lv&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.ntljcb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
              Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
              Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
              Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
              Source: C:\Windows\explorer.exeCode function: 6_2_0642A302 getaddrinfo,setsockopt,recv,6_2_0642A302
              Source: global trafficHTTP traffic detected: GET /tub0/?0T0hlT=cydGkSUU+hbxwnLMCHdxs2HTbhyeOBhf6VDIiN7OyAb+9b2I/6QPcL+NYbrcHhStME+j&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.nachbau.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /tub0/?0T0hlT=0g3BJlW7sTphQ/5j4Tdr5dYYoDFSx+aDomq4rDoP20bT0mosHTIKHGclLGRJ8AP1BBBd&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.carbon-foam.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /tub0/?0T0hlT=Oc9Sv6ZsHiz1lEkHjT4sUkzXc6kK6TfJoTMn/p3mX09SqIZJtOPjrYy4Z3tQQ5aTicNK&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.aslanforklift.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: global trafficHTTP traffic detected: GET /tub0/?0T0hlT=dN2zk3vDrvOSMWpoBKxdiHLfh4G+CBzvqQ9gZV3x5lRoIc3e6NmSOgfKn1bO4v69I6lv&OVlT0R=o2JlVT4hT8qhr8ep HTTP/1.1Host: www.ntljcb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: unknownDNS traffic detected: queries for: www.nachbau.net
              Source: explorer.exe, 00000006.00000000.253352274.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: msiexec.exe, 0000000B.00000002.474927487.0000000003244000.00000004.00000020.sdmpString found in binary or memory: http://www.fsqlgt.com/
              Source: msiexec.exe, 0000000B.00000002.474927487.0000000003244000.00000004.00000020.sdmpString found in binary or memory: http://www.fsqlgt.com/T0hlT=nrDRCNaQ3GMZq2PvHSeNd5wOe
              Source: msiexec.exe, 0000000B.00000002.474927487.0000000003244000.00000004.00000020.sdmpString found in binary or memory: http://www.fsqlgt.com/tub0/?0T0hlT=nrDRCNaQ3GMZq2PvHSeNd5wOe
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: 4pFzkB6ePK.exe, 00000002.00000002.231090586.0000000005680000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.253631416.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
              Source: C:\Windows\explorer.exeCode function: 6_2_06423EB2 OpenClipboard,6_2_06423EB2
              Source: 4pFzkB6ePK.exe, 00000002.00000002.227342464.0000000000A60000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPE

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              .NET source code contains very large stringsShow sources
              Source: 4pFzkB6ePK.exe, LogIn.csLong String: Length: 13656
              Source: 5.2.4pFzkB6ePK.exe.e40000.1.unpack, LogIn.csLong String: Length: 13656
              Source: 5.0.4pFzkB6ePK.exe.e40000.0.unpack, LogIn.csLong String: Length: 13656
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_004181B0 NtCreateFile,5_2_004181B0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_00418260 NtReadFile,5_2_00418260
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_004182E0 NtClose,5_2_004182E0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_00418390 NtAllocateVirtualMemory,5_2_00418390
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041825A NtReadFile,5_2_0041825A
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_004182AB NtReadFile,5_2_004182AB
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041838A NtAllocateVirtualMemory,5_2_0041838A
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019799A0 NtCreateSection,LdrInitializeThunk,5_2_019799A0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019795D0 NtClose,LdrInitializeThunk,5_2_019795D0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01979910
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979540 NtReadFile,LdrInitializeThunk,5_2_01979540
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019798F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_019798F0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979840 NtDelayExecution,LdrInitializeThunk,5_2_01979840
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979860 NtQuerySystemInformation,LdrInitializeThunk,5_2_01979860
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979780 NtMapViewOfSection,LdrInitializeThunk,5_2_01979780
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019797A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_019797A0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979FE0 NtCreateMutant,LdrInitializeThunk,5_2_01979FE0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979710 NtQueryInformationToken,LdrInitializeThunk,5_2_01979710
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019796E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_019796E0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_01979A00
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979A20 NtResumeThread,LdrInitializeThunk,5_2_01979A20
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979A50 NtCreateFile,LdrInitializeThunk,5_2_01979A50
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01979660
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019799D0 NtCreateProcessEx,5_2_019799D0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019795F0 NtQueryInformationFile,5_2_019795F0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0197AD30 NtSetContextThread,5_2_0197AD30
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979520 NtWaitForSingleObject,5_2_01979520
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979950 NtQueueApcThread,5_2_01979950
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979560 NtWriteFile,5_2_01979560
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019798A0 NtWriteVirtualMemory,5_2_019798A0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979820 NtEnumerateKey,5_2_01979820
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0197B040 NtSuspendThread,5_2_0197B040
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0197A3B0 NtGetContextThread,5_2_0197A3B0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0197A710 NtOpenProcessToken,5_2_0197A710
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979B00 NtSetValueKey,5_2_01979B00
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979730 NtQueryVirtualMemory,5_2_01979730
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979770 NtSetInformationFile,5_2_01979770
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0197A770 NtOpenThread,5_2_0197A770
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979760 NtOpenProcess,5_2_01979760
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979A80 NtOpenDirectoryObject,5_2_01979A80
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019796D0 NtCreateKey,5_2_019796D0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979610 NtEnumerateValueKey,5_2_01979610
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979A10 NtQuerySection,5_2_01979A10
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979650 NtQueryValueKey,5_2_01979650
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01979670 NtQueryInformationProcess,5_2_01979670
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C395D0 NtClose,LdrInitializeThunk,11_2_04C395D0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39540 NtReadFile,LdrInitializeThunk,11_2_04C39540
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C396D0 NtCreateKey,LdrInitializeThunk,11_2_04C396D0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C396E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_04C396E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39650 NtQueryValueKey,LdrInitializeThunk,11_2_04C39650
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_04C39660
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39FE0 NtCreateMutant,LdrInitializeThunk,11_2_04C39FE0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39780 NtMapViewOfSection,LdrInitializeThunk,11_2_04C39780
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39710 NtQueryInformationToken,LdrInitializeThunk,11_2_04C39710
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39840 NtDelayExecution,LdrInitializeThunk,11_2_04C39840
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39860 NtQuerySystemInformation,LdrInitializeThunk,11_2_04C39860
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C399A0 NtCreateSection,LdrInitializeThunk,11_2_04C399A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_04C39910
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39A50 NtCreateFile,LdrInitializeThunk,11_2_04C39A50
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C395F0 NtQueryInformationFile,11_2_04C395F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39560 NtWriteFile,11_2_04C39560
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39520 NtWaitForSingleObject,11_2_04C39520
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C3AD30 NtSetContextThread,11_2_04C3AD30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39670 NtQueryInformationProcess,11_2_04C39670
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39610 NtEnumerateValueKey,11_2_04C39610
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C397A0 NtUnmapViewOfSection,11_2_04C397A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39760 NtOpenProcess,11_2_04C39760
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C3A770 NtOpenThread,11_2_04C3A770
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39770 NtSetInformationFile,11_2_04C39770
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C3A710 NtOpenProcessToken,11_2_04C3A710
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39730 NtQueryVirtualMemory,11_2_04C39730
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C398F0 NtReadVirtualMemory,11_2_04C398F0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C398A0 NtWriteVirtualMemory,11_2_04C398A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C3B040 NtSuspendThread,11_2_04C3B040
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39820 NtEnumerateKey,11_2_04C39820
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C399D0 NtCreateProcessEx,11_2_04C399D0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39950 NtQueueApcThread,11_2_04C39950
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39A80 NtOpenDirectoryObject,11_2_04C39A80
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39A00 NtProtectVirtualMemory,11_2_04C39A00
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39A10 NtQuerySection,11_2_04C39A10
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39A20 NtResumeThread,11_2_04C39A20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C3A3B0 NtGetContextThread,11_2_04C3A3B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C39B00 NtSetValueKey,11_2_04C39B00
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CE81B0 NtCreateFile,11_2_00CE81B0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CE82E0 NtClose,11_2_00CE82E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CE8260 NtReadFile,11_2_00CE8260
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CE8390 NtAllocateVirtualMemory,11_2_00CE8390
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CE82AB NtReadFile,11_2_00CE82AB
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CE825A NtReadFile,11_2_00CE825A
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CE838A NtAllocateVirtualMemory,11_2_00CE838A
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 2_2_00A1C5082_2_00A1C508
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 2_2_00A199902_2_00A19990
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_004010305_2_00401030
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041A2965_2_0041A296
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041BB665_2_0041BB66
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041CB725_2_0041CB72
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041CB755_2_0041CB75
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_00408C505_2_00408C50
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_00402D875_2_00402D87
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_00402D905_2_00402D90
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041B61B5_2_0041B61B
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041BEB65_2_0041BEB6
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_00402FB05_2_00402FB0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019625815_2_01962581
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0194D5E05_2_0194D5E0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01A025DD5_2_01A025DD
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0193F9005_2_0193F900
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01A02D075_2_01A02D07
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01930D205_2_01930D20
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019541205_2_01954120
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01A01D555_2_01A01D55
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0194B0905_2_0194B090
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01A020A85_2_01A020A8
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019620A05_2_019620A0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01A028EC5_2_01A028EC
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0194841F5_2_0194841F
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019F10025_2_019F1002
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0196EBB05_2_0196EBB0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_019FDBD25_2_019FDBD2
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01A01FF15_2_01A01FF1
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01A02B285_2_01A02B28
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01A022AE5_2_01A022AE
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01A02EF75_2_01A02EF7
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_01956E305_2_01956E30
              Source: C:\Windows\explorer.exeCode function: 6_2_064270626_2_06427062
              Source: C:\Windows\explorer.exeCode function: 6_2_064228F96_2_064228F9
              Source: C:\Windows\explorer.exeCode function: 6_2_064252FF6_2_064252FF
              Source: C:\Windows\explorer.exeCode function: 6_2_064233626_2_06423362
              Source: C:\Windows\explorer.exeCode function: 6_2_064229026_2_06422902
              Source: C:\Windows\explorer.exeCode function: 6_2_064253026_2_06425302
              Source: C:\Windows\explorer.exeCode function: 6_2_064287C76_2_064287C7
              Source: C:\Windows\explorer.exeCode function: 6_2_064295B26_2_064295B2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CBD46611_2_04CBD466
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C0841F11_2_04C0841F
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CC25DD11_2_04CC25DD
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C0D5E011_2_04C0D5E0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CC1D5511_2_04CC1D55
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04BF0D2011_2_04BF0D20
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CC2D0711_2_04CC2D07
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CC2EF711_2_04CC2EF7
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CBD61611_2_04CBD616
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C16E3011_2_04C16E30
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CCDFCE11_2_04CCDFCE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CC1FF111_2_04CC1FF1
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CC28EC11_2_04CC28EC
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C0B09011_2_04C0B090
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C220A011_2_04C220A0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CC20A811_2_04CC20A8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CB100211_2_04CB1002
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CCE82411_2_04CCE824
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04BFF90011_2_04BFF900
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C1412011_2_04C14120
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CC22AE11_2_04CC22AE
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CAFA2B11_2_04CAFA2B
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CB03DA11_2_04CB03DA
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CBDBD211_2_04CBDBD2
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C2EBB011_2_04C2EBB0
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C1AB4011_2_04C1AB40
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04CC2B2811_2_04CC2B28
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CEA29611_2_00CEA296
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CECB7511_2_00CECB75
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CECB7211_2_00CECB72
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CD8C5011_2_00CD8C50
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CD2D8711_2_00CD2D87
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CD2D9011_2_00CD2D90
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CD2FB011_2_00CD2FB0
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: String function: 0193B150 appears 35 times
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 04BFB150 appears 45 times
              Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmpBinary or memory string: l,\\StringFileInfo\\000004B0\\OriginalFilename vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000002.00000002.227342464.0000000000A60000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000002.00000002.226621287.00000000002F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameServerObjectTerminatorSink.exe6 vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000002.00000002.234024022.00000000086C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000002.00000002.233518912.0000000008500000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000005.00000000.225714559.0000000000EB8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameServerObjectTerminatorSink.exe6 vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000005.00000002.285659789.000000000169B000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exe, 00000005.00000002.285884616.0000000001A2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 4pFzkB6ePK.exe
              Source: 4pFzkB6ePK.exeBinary or memory string: OriginalFilenameServerObjectTerminatorSink.exe6 vs 4pFzkB6ePK.exe
              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
              Source: 4pFzkB6ePK.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000005.00000002.285256775.0000000001440000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000005.00000002.285193753.0000000001410000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000005.00000002.284397721.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000B.00000002.470152812.0000000000CD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000B.00000002.472397377.0000000000F30000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000B.00000002.472184819.0000000000F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000002.00000002.228140943.0000000003659000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 2.2.4pFzkB6ePK.exe.378cfa0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 5.2.4pFzkB6ePK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 5.2.4pFzkB6ePK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 2.2.4pFzkB6ePK.exe.37dcbc0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 4pFzkB6ePK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 4pFzkB6ePK.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 5.2.4pFzkB6ePK.exe.e40000.1.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: 5.0.4pFzkB6ePK.exe.e40000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
              Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@9/5
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\4pFzkB6ePK.exe.logJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_01
              Source: 4pFzkB6ePK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
              Source: 4pFzkB6ePK.exe, 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
              Source: 4pFzkB6ePK.exeVirustotal: Detection: 22%
              Source: 4pFzkB6ePK.exeReversingLabs: Detection: 27%
              Source: unknownProcess created: C:\Users\user\Desktop\4pFzkB6ePK.exe 'C:\Users\user\Desktop\4pFzkB6ePK.exe'
              Source: unknownProcess created: C:\Users\user\Desktop\4pFzkB6ePK.exe C:\Users\user\Desktop\4pFzkB6ePK.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4pFzkB6ePK.exe'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess created: C:\Users\user\Desktop\4pFzkB6ePK.exe C:\Users\user\Desktop\4pFzkB6ePK.exeJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\4pFzkB6ePK.exe'Jump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: 4pFzkB6ePK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 4pFzkB6ePK.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: msiexec.pdb source: 4pFzkB6ePK.exe, 00000005.00000002.285616427.0000000001678000.00000004.00000020.sdmp
              Source: Binary string: msiexec.pdbGCTL source: 4pFzkB6ePK.exe, 00000005.00000002.285616427.0000000001678000.00000004.00000020.sdmp
              Source: Binary string: wntdll.pdbUGP source: 4pFzkB6ePK.exe, 00000005.00000002.285884616.0000000001A2F000.00000040.00000001.sdmp, msiexec.exe, 0000000B.00000002.475468589.0000000004BD0000.00000040.00000001.sdmp
              Source: Binary string: wntdll.pdb source: 4pFzkB6ePK.exe, msiexec.exe

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 4pFzkB6ePK.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.2.4pFzkB6ePK.exe.e40000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: 5.0.4pFzkB6ePK.exe.e40000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041B3F2 push eax; ret 5_2_0041B3F8
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041B3FB push eax; ret 5_2_0041B462
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041B3A5 push eax; ret 5_2_0041B3F8
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041B45C push eax; ret 5_2_0041B462
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0041C468 push ss; iretd 5_2_0041C469
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_00415FB5 push eax; retf 5_2_00415FBF
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeCode function: 5_2_0198D0D1 push ecx; ret 5_2_0198D0E4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_04C4D0D1 push ecx; ret 11_2_04C4D0E4
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CEB3FB push eax; ret 11_2_00CEB462
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CEB3F2 push eax; ret 11_2_00CEB3F8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CEB3A5 push eax; ret 11_2_00CEB3F8
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CEB45C push eax; ret 11_2_00CEB462
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CEC468 push ss; iretd 11_2_00CEC469
              Source: C:\Windows\SysWOW64\msiexec.exeCode function: 11_2_00CE5FB5 push eax; retf 11_2_00CE5FBF
              Source: initial sampleStatic PE information: section name: .text entropy: 7.42579480649
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000002.00000002.227758190.0000000002651000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 4pFzkB6ePK.exe PID: 6484, type: MEMORY
              Source: Yara matchFile source: 2.2.4pFzkB6ePK.exe.26d4938.1.raw.unpack, type: UNPACKEDPE
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\4pFzkB6ePK.exeWMI Queri