Loading ...

Play interactive tourEdit tour

Analysis Report 8sxgohtHjM.exe

Overview

General Information

Sample Name:8sxgohtHjM.exe
Analysis ID:383831
MD5:d381b0a2268051aa83b031ddc87ee7df
SHA1:7c580bde96219de369ad1503d62703e77c4c3fa6
SHA256:da51c0642c1d22815991ec7f4da9f27206352ee2c5419d29af09cb69688b0b47
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 8sxgohtHjM.exe (PID: 6752 cmdline: 'C:\Users\user\Desktop\8sxgohtHjM.exe' MD5: D381B0A2268051AA83B031DDC87EE7DF)
    • 8sxgohtHjM.exe (PID: 7100 cmdline: C:\Users\user\Desktop\8sxgohtHjM.exe MD5: D381B0A2268051AA83B031DDC87EE7DF)
    • 8sxgohtHjM.exe (PID: 7108 cmdline: C:\Users\user\Desktop\8sxgohtHjM.exe MD5: D381B0A2268051AA83B031DDC87EE7DF)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 6656 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.paintersdistrictcouncil.com/vu9b/"], "decoy": ["longdoggy.net", "gylvs.com", "evonnemccray.com", "nicemoneymaker.com", "baby-schutzen.com", "xgahovzm.icu", "psdcompany.com", "makeupjunkiewholesale.com", "vz357.com", "carshownet.com", "forneyus.com", "nfoptic.com", "lampacosmetiques.com", "newmandu.com", "localupdate.net", "theartofmajur1.com", "bancosecurity.website", "cabinhealthy.com", "tiprent.com", "lloydwellsandassociates.com", "cekaventure.com", "nahomredda.com", "transitionmonster.com", "apiquet.com", "covidbizdisaster.com", "darrelbrodkemd.com", "sproutsocialleads.com", "curtex.info", "wsilhavy.net", "regaltire.net", "sellbulkweed.com", "trumedenroll.com", "pone2.com", "jedinomad.net", "sleekandshinebeauty.com", "sango-style.com", "bjshuangtai.net", "shopasadesigns.com", "siloamtree.com", "happilyeverhughes.net", "hayalpresst.com", "wfdrc.icu", "astronumerolan.com", "pvplearing.net", "moyoujf.com", "bestwishesforyou.online", "3erkala.xyz", "calificatucasa.com", "cuple.info", "k-acad.com", "iesco.net", "investmentresourcesaz.com", "4018398.com", "cbluedotpanowdbuy.com", "lllll0.com", "plainsteelforsale.com", "abarrotesflorita.com", "tunemovie.website", "dfendglobal.com", "drvincewoodonline.com", "support-applela.com", "unclejoeandkamala2020.com", "frrin.com", "pennsylvaniapot.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000002.311088720.0000000000D00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.311088720.0000000000D00000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.8sxgohtHjM.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.8sxgohtHjM.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.8sxgohtHjM.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        4.2.8sxgohtHjM.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.8sxgohtHjM.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.support-applela.com/vu9b/?0pn=31nFjjjg4oAcb4MokEeAvira URL Cloud: Label: phishing
          Found malware configurationShow sources
          Source: 00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.paintersdistrictcouncil.com/vu9b/"], "decoy": ["longdoggy.net", "gylvs.com", "evonnemccray.com", "nicemoneymaker.com", "baby-schutzen.com", "xgahovzm.icu", "psdcompany.com", "makeupjunkiewholesale.com", "vz357.com", "carshownet.com", "forneyus.com", "nfoptic.com", "lampacosmetiques.com", "newmandu.com", "localupdate.net", "theartofmajur1.com", "bancosecurity.website", "cabinhealthy.com", "tiprent.com", "lloydwellsandassociates.com", "cekaventure.com", "nahomredda.com", "transitionmonster.com", "apiquet.com", "covidbizdisaster.com", "darrelbrodkemd.com", "sproutsocialleads.com", "curtex.info", "wsilhavy.net", "regaltire.net", "sellbulkweed.com", "trumedenroll.com", "pone2.com", "jedinomad.net", "sleekandshinebeauty.com", "sango-style.com", "bjshuangtai.net", "shopasadesigns.com", "siloamtree.com", "happilyeverhughes.net", "hayalpresst.com", "wfdrc.icu", "astronumerolan.com", "pvplearing.net", "moyoujf.com", "bestwishesforyou.online", "3erkala.xyz", "calificatucasa.com", "cuple.info", "k-acad.com", "iesco.net", "investmentresourcesaz.com", "4018398.com", "cbluedotpanowdbuy.com", "lllll0.com", "plainsteelforsale.com", "abarrotesflorita.com", "tunemovie.website", "dfendglobal.com", "drvincewoodonline.com", "support-applela.com", "unclejoeandkamala2020.com", "frrin.com", "pennsylvaniapot.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 8sxgohtHjM.exeVirustotal: Detection: 34%Perma Link
          Source: 8sxgohtHjM.exeReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.311088720.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.310623101.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.521004557.0000000003570000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.271249729.00000000037C5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.311156911.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.518608127.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.8sxgohtHjM.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.8sxgohtHjM.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 8sxgohtHjM.exeJoe Sandbox ML: detected
          Source: 4.2.8sxgohtHjM.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 8sxgohtHjM.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 8sxgohtHjM.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: 8sxgohtHjM.exe, 00000004.00000002.311207883.0000000001090000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.298573010.000000000E1C0000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: 8sxgohtHjM.exe, 00000004.00000002.311207883.0000000001090000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 8sxgohtHjM.exe, 00000004.00000002.311350228.000000000128F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000010.00000002.521855164.0000000003AF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 8sxgohtHjM.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.298573010.000000000E1C0000.00000002.00000001.sdmp

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 108.128.238.226:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 108.128.238.226:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49727 -> 108.128.238.226:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 208.91.197.91:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 208.91.197.91:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 208.91.197.91:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49746 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.paintersdistrictcouncil.com/vu9b/
          Uses netstat to query active network connections and open portsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /vu9b/?uZQL2=D48x&0pn=epJyvIJN9OiI2pb9nHYNHIQUuRpQuBcV3xjjobJny1KcYNO6WcXhtFEWRhmWC8oG0KHq HTTP/1.1Host: www.nahomredda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?0pn=TnflO2yLdbi4Ns0f55IiNebWCRsDsubrkj3vpv5xkUkHd7zC3bp6KG+yVlLNRE0xHemI&uZQL2=D48x HTTP/1.1Host: www.nfoptic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?uZQL2=D48x&0pn=4FRBZlZfmJP1ouB3qG1kZTmIcoiAlBFvqheXtdIBznGFOOcTf1arb+p8J++3khIBMjQo HTTP/1.1Host: www.pone2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?0pn=gvDMKnL2DiygUqkLOW8equ0SBtiZsQsp9RF77GdE0oWtaZL2dcC9ipMcSo2LbyxlKRwH&uZQL2=D48x HTTP/1.1Host: www.newmandu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?uZQL2=D48x&0pn=Ucm1yDKmPu3sqYnPT23C7jNgC5pC+S3WITJgysPBW6tpfdLYpWyQ+yZVED0YNT4HHiqT HTTP/1.1Host: www.bestwishesforyou.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?0pn=ZRZicPUHGdpu447/ToshtXbk+LjFT6TcRbqWThirrcjgIxqMd1CJhqCrqkTzpGUGM9/e&uZQL2=D48x HTTP/1.1Host: www.unclejoeandkamala2020.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?uZQL2=D48x&0pn=XOyfHYtLU1lLdZnaXZe4OvPQMiRanaHMlAIcsSmWFWkLxOIqqTB9rasY28K6kY36/QRI HTTP/1.1Host: www.siloamtree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 208.91.197.91 208.91.197.91
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: GET /vu9b/?uZQL2=D48x&0pn=epJyvIJN9OiI2pb9nHYNHIQUuRpQuBcV3xjjobJny1KcYNO6WcXhtFEWRhmWC8oG0KHq HTTP/1.1Host: www.nahomredda.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?0pn=TnflO2yLdbi4Ns0f55IiNebWCRsDsubrkj3vpv5xkUkHd7zC3bp6KG+yVlLNRE0xHemI&uZQL2=D48x HTTP/1.1Host: www.nfoptic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?uZQL2=D48x&0pn=4FRBZlZfmJP1ouB3qG1kZTmIcoiAlBFvqheXtdIBznGFOOcTf1arb+p8J++3khIBMjQo HTTP/1.1Host: www.pone2.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?0pn=gvDMKnL2DiygUqkLOW8equ0SBtiZsQsp9RF77GdE0oWtaZL2dcC9ipMcSo2LbyxlKRwH&uZQL2=D48x HTTP/1.1Host: www.newmandu.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?uZQL2=D48x&0pn=Ucm1yDKmPu3sqYnPT23C7jNgC5pC+S3WITJgysPBW6tpfdLYpWyQ+yZVED0YNT4HHiqT HTTP/1.1Host: www.bestwishesforyou.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?0pn=ZRZicPUHGdpu447/ToshtXbk+LjFT6TcRbqWThirrcjgIxqMd1CJhqCrqkTzpGUGM9/e&uZQL2=D48x HTTP/1.1Host: www.unclejoeandkamala2020.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /vu9b/?uZQL2=D48x&0pn=XOyfHYtLU1lLdZnaXZe4OvPQMiRanaHMlAIcsSmWFWkLxOIqqTB9rasY28K6kY36/QRI HTTP/1.1Host: www.siloamtree.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.nahomredda.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 08:49:51 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000005.00000000.294740865.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 8sxgohtHjM.exe, 00000000.00000002.270731871.0000000002701000.00000004.00000001.sdmp, 8sxgohtHjM.exe, 00000000.00000002.270751775.000000000271E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: 8sxgohtHjM.exe, 00000000.00000002.270751775.000000000271E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: NETSTAT.EXE, 00000010.00000002.522730869.00000000041A2000.00000004.00000001.sdmpString found in binary or memory: http://www.newmandu.com/?fp=teRCGBRWnsMyQPYBLQzITP%2FRZhRM%2BzRVkHY6lKODoxW9UBFBZ%2BAUTjJBDU4IosgaQp
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: NETSTAT.EXE, 00000010.00000002.521546345.00000000036FA000.00000004.00000020.sdmpString found in binary or memory: http://www.support-applela.com/vu9b/?0pn=31nFjjjg4oAcb4MokEe
          Source: explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 8sxgohtHjM.exe, 00000000.00000002.274767057.0000000005840000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.294908014.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 8sxgohtHjM.exe, 00000000.00000002.270742230.0000000002713000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: 8sxgohtHjM.exeString found in binary or memory: https://www.gnu.org
          Source: 8sxgohtHjM.exeString found in binary or memory: https://www.gnu.org/licenses/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.311088720.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.310623101.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.521004557.0000000003570000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.271249729.00000000037C5000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.311156911.0000000001030000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.518608127.0000000000FD0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.8sxgohtHjM.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.8sxgohtHjM.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.311088720.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.311088720.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.310623101.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.310623101.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.521004557.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.521004557.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.271249729.00000000037C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.271249729.00000000037C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.311156911.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.311156911.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.518608127.0000000000FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.518608127.0000000000FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.8sxgohtHjM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.8sxgohtHjM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.8sxgohtHjM.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.8sxgohtHjM.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_004181B0 NtCreateFile,4_2_004181B0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_00418260 NtReadFile,4_2_00418260
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_004182E0 NtClose,4_2_004182E0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,4_2_00418390
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0041825A NtReadFile,4_2_0041825A
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0041838A NtAllocateVirtualMemory,4_2_0041838A
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_011D9910
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D99A0 NtCreateSection,LdrInitializeThunk,4_2_011D99A0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9840 NtDelayExecution,LdrInitializeThunk,4_2_011D9840
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_011D9860
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_011D98F0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_011D9A00
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9A20 NtResumeThread,LdrInitializeThunk,4_2_011D9A20
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9A50 NtCreateFile,LdrInitializeThunk,4_2_011D9A50
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9540 NtReadFile,LdrInitializeThunk,4_2_011D9540
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D95D0 NtClose,LdrInitializeThunk,4_2_011D95D0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9710 NtQueryInformationToken,LdrInitializeThunk,4_2_011D9710
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9780 NtMapViewOfSection,LdrInitializeThunk,4_2_011D9780
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_011D97A0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9FE0 NtCreateMutant,LdrInitializeThunk,4_2_011D9FE0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_011D9660
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_011D96E0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9950 NtQueueApcThread,4_2_011D9950
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D99D0 NtCreateProcessEx,4_2_011D99D0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9820 NtEnumerateKey,4_2_011D9820
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011DB040 NtSuspendThread,4_2_011DB040
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D98A0 NtWriteVirtualMemory,4_2_011D98A0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9B00 NtSetValueKey,4_2_011D9B00
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011DA3B0 NtGetContextThread,4_2_011DA3B0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9A10 NtQuerySection,4_2_011D9A10
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9A80 NtOpenDirectoryObject,4_2_011D9A80
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011DAD30 NtSetContextThread,4_2_011DAD30
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9520 NtWaitForSingleObject,4_2_011D9520
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9560 NtWriteFile,4_2_011D9560
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D95F0 NtQueryInformationFile,4_2_011D95F0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011DA710 NtOpenProcessToken,4_2_011DA710
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9730 NtQueryVirtualMemory,4_2_011D9730
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011DA770 NtOpenThread,4_2_011DA770
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9770 NtSetInformationFile,4_2_011D9770
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9760 NtOpenProcess,4_2_011D9760
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9610 NtEnumerateValueKey,4_2_011D9610
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9650 NtQueryValueKey,4_2_011D9650
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D9670 NtQueryInformationProcess,4_2_011D9670
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011D96D0 NtCreateKey,4_2_011D96D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59780 NtMapViewOfSection,LdrInitializeThunk,16_2_03B59780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59FE0 NtCreateMutant,LdrInitializeThunk,16_2_03B59FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59710 NtQueryInformationToken,LdrInitializeThunk,16_2_03B59710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B596E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_03B596E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B596D0 NtCreateKey,LdrInitializeThunk,16_2_03B596D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_03B59660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59650 NtQueryValueKey,LdrInitializeThunk,16_2_03B59650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59A50 NtCreateFile,LdrInitializeThunk,16_2_03B59A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B599A0 NtCreateSection,LdrInitializeThunk,16_2_03B599A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B595D0 NtClose,LdrInitializeThunk,16_2_03B595D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_03B59910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59540 NtReadFile,LdrInitializeThunk,16_2_03B59540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59860 NtQuerySystemInformation,LdrInitializeThunk,16_2_03B59860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59840 NtDelayExecution,LdrInitializeThunk,16_2_03B59840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B5A3B0 NtGetContextThread,16_2_03B5A3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B597A0 NtUnmapViewOfSection,16_2_03B597A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59730 NtQueryVirtualMemory,16_2_03B59730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B5A710 NtOpenProcessToken,16_2_03B5A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59B00 NtSetValueKey,16_2_03B59B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59770 NtSetInformationFile,16_2_03B59770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B5A770 NtOpenThread,16_2_03B5A770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59760 NtOpenProcess,16_2_03B59760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59A80 NtOpenDirectoryObject,16_2_03B59A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59A20 NtResumeThread,16_2_03B59A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59610 NtEnumerateValueKey,16_2_03B59610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59A10 NtQuerySection,16_2_03B59A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59A00 NtProtectVirtualMemory,16_2_03B59A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59670 NtQueryInformationProcess,16_2_03B59670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B595F0 NtQueryInformationFile,16_2_03B595F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B599D0 NtCreateProcessEx,16_2_03B599D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B5AD30 NtSetContextThread,16_2_03B5AD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59520 NtWaitForSingleObject,16_2_03B59520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59560 NtWriteFile,16_2_03B59560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59950 NtQueueApcThread,16_2_03B59950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B598A0 NtWriteVirtualMemory,16_2_03B598A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B598F0 NtReadVirtualMemory,16_2_03B598F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B59820 NtEnumerateKey,16_2_03B59820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B5B040 NtSuspendThread,16_2_03B5B040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FE81B0 NtCreateFile,16_2_00FE81B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FE82E0 NtClose,16_2_00FE82E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FE8260 NtReadFile,16_2_00FE8260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FE8390 NtAllocateVirtualMemory,16_2_00FE8390
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FE825A NtReadFile,16_2_00FE825A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FE838A NtAllocateVirtualMemory,16_2_00FE838A
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025BCB480_2_025BCB48
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025BCB470_2_025BCB47
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025B9FD80_2_025B9FD8
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_074087300_2_07408730
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_074005580_2_07400558
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_0740CF680_2_0740CF68
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_07405FE00_2_07405FE0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_07405D980_2_07405D98
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_07407C000_2_07407C00
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_074099D80_2_074099D8
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_074038800_2_07403880
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_0740B6D10_2_0740B6D1
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_0740B6E00_2_0740B6E0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_074086A00_2_074086A0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0041A2A64_2_0041A2A6
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_00408C4B4_2_00408C4B
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_00408C504_2_00408C50
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0041B4A64_2_0041B4A6
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_00402D874_2_00402D87
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0041C7C24_2_0041C7C2
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0119F9004_2_0119F900
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011B41204_2_011B4120
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0126E8244_2_0126E824
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_012510024_2_01251002
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011AB0904_2_011AB090
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_012620A84_2_012620A8
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011C20A04_2_011C20A0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_012628EC4_2_012628EC
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_01262B284_2_01262B28
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011BAB404_2_011BAB40
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011CEBB04_2_011CEBB0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0125DBD24_2_0125DBD2
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_012503DA4_2_012503DA
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0124FA2B4_2_0124FA2B
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_012622AE4_2_012622AE
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_01262D074_2_01262D07
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_01190D204_2_01190D20
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_01261D554_2_01261D55
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011C25814_2_011C2581
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011AD5E04_2_011AD5E0
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_012625DD4_2_012625DD
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011A841F4_2_011A841F
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0125D4664_2_0125D466
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_01261FF14_2_01261FF1
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0126DFCE4_2_0126DFCE
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011B6E304_2_011B6E30
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0125D6164_2_0125D616
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_01262EF74_2_01262EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B4EBB016_2_03B4EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BE1FF116_2_03BE1FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BDDBD216_2_03BDDBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BE2B2816_2_03BE2B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BE22AE16_2_03BE22AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BE2EF716_2_03BE2EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B36E3016_2_03B36E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B4258116_2_03B42581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B2D5E016_2_03B2D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BE25DD16_2_03BE25DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B10D2016_2_03B10D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B3412016_2_03B34120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B1F90016_2_03B1F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BE2D0716_2_03BE2D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BE1D5516_2_03BE1D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B420A016_2_03B420A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BE20A816_2_03BE20A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B2B09016_2_03B2B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BE28EC16_2_03BE28EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B2841F16_2_03B2841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BD100216_2_03BD1002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03BDD46616_2_03BDD466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FEA2A616_2_00FEA2A6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FEB4A616_2_00FEB4A6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FD8C5016_2_00FD8C50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FD8C4B16_2_00FD8C4B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FD2D9016_2_00FD2D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FD2D8716_2_00FD2D87
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FEC7C216_2_00FEC7C2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FD2FB016_2_00FD2FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03B1B150 appears 35 times
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: String function: 0119B150 appears 48 times
          Source: 8sxgohtHjM.exe, 00000000.00000002.269902767.0000000000442000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAssemblyTitleAttribute.exeB vs 8sxgohtHjM.exe
          Source: 8sxgohtHjM.exe, 00000000.00000002.270751775.000000000271E000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs 8sxgohtHjM.exe
          Source: 8sxgohtHjM.exe, 00000000.00000002.271249729.00000000037C5000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs 8sxgohtHjM.exe
          Source: 8sxgohtHjM.exe, 00000003.00000002.268222469.0000000000352000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAssemblyTitleAttribute.exeB vs 8sxgohtHjM.exe
          Source: 8sxgohtHjM.exe, 00000004.00000000.268910587.0000000000772000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAssemblyTitleAttribute.exeB vs 8sxgohtHjM.exe
          Source: 8sxgohtHjM.exe, 00000004.00000002.311350228.000000000128F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 8sxgohtHjM.exe
          Source: 8sxgohtHjM.exe, 00000004.00000002.311207883.0000000001090000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs 8sxgohtHjM.exe
          Source: 8sxgohtHjM.exeBinary or memory string: OriginalFilenameAssemblyTitleAttribute.exeB vs 8sxgohtHjM.exe
          Source: 8sxgohtHjM.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.520943854.0000000003540000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.311088720.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.311088720.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.310623101.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.310623101.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.521004557.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.521004557.0000000003570000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.271249729.00000000037C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.271249729.00000000037C5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.311156911.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.311156911.0000000001030000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.518608127.0000000000FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.518608127.0000000000FD0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.8sxgohtHjM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.8sxgohtHjM.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.8sxgohtHjM.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.8sxgohtHjM.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8sxgohtHjM.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@6/1@14/6
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8sxgohtHjM.exe.logJump to behavior
          Source: 8sxgohtHjM.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 8sxgohtHjM.exe, 00000000.00000002.270742230.0000000002713000.00000004.00000001.sdmpBinary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
          Source: 8sxgohtHjM.exe, 00000000.00000002.270742230.0000000002713000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: 8sxgohtHjM.exe, 00000000.00000002.270742230.0000000002713000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: 8sxgohtHjM.exe, 00000000.00000002.270742230.0000000002713000.00000004.00000001.sdmpBinary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
          Source: 8sxgohtHjM.exe, 00000000.00000002.270742230.0000000002713000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: 8sxgohtHjM.exe, 00000000.00000002.270742230.0000000002713000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: 8sxgohtHjM.exe, 00000000.00000002.270742230.0000000002713000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: 8sxgohtHjM.exeVirustotal: Detection: 34%
          Source: 8sxgohtHjM.exeReversingLabs: Detection: 33%
          Source: unknownProcess created: C:\Users\user\Desktop\8sxgohtHjM.exe 'C:\Users\user\Desktop\8sxgohtHjM.exe'
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess created: C:\Users\user\Desktop\8sxgohtHjM.exe C:\Users\user\Desktop\8sxgohtHjM.exe
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess created: C:\Users\user\Desktop\8sxgohtHjM.exe C:\Users\user\Desktop\8sxgohtHjM.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess created: C:\Users\user\Desktop\8sxgohtHjM.exe C:\Users\user\Desktop\8sxgohtHjM.exeJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess created: C:\Users\user\Desktop\8sxgohtHjM.exe C:\Users\user\Desktop\8sxgohtHjM.exeJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 8sxgohtHjM.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 8sxgohtHjM.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: 8sxgohtHjM.exe, 00000004.00000002.311207883.0000000001090000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.298573010.000000000E1C0000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: 8sxgohtHjM.exe, 00000004.00000002.311207883.0000000001090000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 8sxgohtHjM.exe, 00000004.00000002.311350228.000000000128F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000010.00000002.521855164.0000000003AF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 8sxgohtHjM.exe, NETSTAT.EXE
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.298573010.000000000E1C0000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025B446F push edi; retn 0004h0_2_025B4482
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025B6841 pushad ; ret 0_2_025B6842
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025BAED1 pushfd ; ret 0_2_025BAED2
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025BAEC9 pushfd ; ret 0_2_025BAECA
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025BAEEF pushfd ; ret 0_2_025BAEFA
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025BAE88 pushfd ; ret 0_2_025BAE8A
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025BAF30 pushfd ; ret 0_2_025BAF3A
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025B7038 push esp; ret 0_2_025B7039
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_025B3768 push eax; ret 0_2_025B3769
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_0740D6D2 push 0000005Ah; retf 0_2_0740D6D4
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 0_2_0740A50B push ss; retf 0_2_0740A50E
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0041B3B5 push eax; ret 4_2_0041B408
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_00415458 push ebx; iretd 4_2_0041545A
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0041B46C push eax; ret 4_2_0041B472
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0041B402 push eax; ret 4_2_0041B408
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0041B40B push eax; ret 4_2_0041B472
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_0040BD7A push ds; iretd 4_2_0040BD7B
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_00414E8D push ds; retf 4_2_00414E8E
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeCode function: 4_2_011ED0D1 push ecx; ret 4_2_011ED0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_03B6D0D1 push ecx; ret 16_2_03B6D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FEB3B5 push eax; ret 16_2_00FEB408
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FEB46C push eax; ret 16_2_00FEB472
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FE5458 push ebx; iretd 16_2_00FE545A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FEB40B push eax; ret 16_2_00FEB472
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FEB402 push eax; ret 16_2_00FEB408
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FDBD7A push ds; iretd 16_2_00FDBD7B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 16_2_00FE4E8D push ds; retf 16_2_00FE4E8E
          Source: initial sampleStatic PE information: section name: .text entropy: 7.7978615602
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\8sxgohtHjM.exeProcess information set: NOOPENFILEERRORBOX