Loading ...

Play interactive tourEdit tour

Analysis Report KY4cmAI0jU.exe

Overview

General Information

Sample Name:KY4cmAI0jU.exe
Analysis ID:433078
MD5:8c35ac8d43f7e59105902fa16114144e
SHA1:c1a0e5de1121e55c22649182c923b41efd4e2848
SHA256:1a08fc838c4ebab6b986b6010e2074a05c29916cd38096e7f7d26a6455917508
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • KY4cmAI0jU.exe (PID: 2128 cmdline: 'C:\Users\user\Desktop\KY4cmAI0jU.exe' MD5: 8C35AC8D43F7E59105902FA16114144E)
    • KY4cmAI0jU.exe (PID: 1632 cmdline: 'C:\Users\user\Desktop\KY4cmAI0jU.exe' MD5: 8C35AC8D43F7E59105902FA16114144E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 5448 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
          • cmd.exe (PID: 5380 cmdline: /c del 'C:\Users\user\Desktop\KY4cmAI0jU.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6060 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.alberthospice.com/sh2m/"], "decoy": ["ladorreguita.com", "starflexacademy.com", "aumhouseholds.com", "ylcht.info", "skill-seminar.com", "insurancedowntown.com", "baliholisticacademy.com", "andrealuz.com", "choicecarloans.com", "ezonkorea.com", "charteroaktech.com", "acpcomponents.com", "portugalthecoder.com", "ipoolhub.com", "webfwrd.com", "swiggy.company", "covidproofevents.com", "jianhufeiyang.space", "oohvd-amai.xyz", "directprnews.com", "kfrx-assuv.xyz", "take-me-bergen.com", "audiosech.club", "infinitytradingapp.com", "pujajaiswal.com", "slateradvertising.com", "tensefit.com", "beyou.fitness", "maybowser.com", "thenewrepublican.net", "kenms.com", "rjpadvisors.com", "pridebiking.com", "99kweeclub.com", "wakarasu.com", "millabg.com", "beenovus.com", "gregcasarsocialist.com", "rentmystuff.info", "adultvideolife.xyz", "ytjee4x6zm9wg.net", "dbsjsa.net", "ziduh.com", "track-website.website", "societalfusion.com", "in-homenannies.com", "sudhakarfurniture.com", "services-nz.com", "obi4ex.com", "geniepinie.com", "dilossearticle.com", "changecamps.com", "meganfantastic.com", "jaisl11.com", "sciencebasedmasks.com", "candydulce.com", "tetra-oil.com", "mkpricephoto.com", "hayvankayit.com", "ellasween.com", "gracelandofkrotzsprings.com", "dndemystified.com", "blinbins.com", "lolasvibe.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.KY4cmAI0jU.exe.2170000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.KY4cmAI0jU.exe.2170000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.KY4cmAI0jU.exe.2170000.3.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        1.1.KY4cmAI0jU.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.KY4cmAI0jU.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.alberthospice.com/sh2m/"], "decoy": ["ladorreguita.com", "starflexacademy.com", "aumhouseholds.com", "ylcht.info", "skill-seminar.com", "insurancedowntown.com", "baliholisticacademy.com", "andrealuz.com", "choicecarloans.com", "ezonkorea.com", "charteroaktech.com", "acpcomponents.com", "portugalthecoder.com", "ipoolhub.com", "webfwrd.com", "swiggy.company", "covidproofevents.com", "jianhufeiyang.space", "oohvd-amai.xyz", "directprnews.com", "kfrx-assuv.xyz", "take-me-bergen.com", "audiosech.club", "infinitytradingapp.com", "pujajaiswal.com", "slateradvertising.com", "tensefit.com", "beyou.fitness", "maybowser.com", "thenewrepublican.net", "kenms.com", "rjpadvisors.com", "pridebiking.com", "99kweeclub.com", "wakarasu.com", "millabg.com", "beenovus.com", "gregcasarsocialist.com", "rentmystuff.info", "adultvideolife.xyz", "ytjee4x6zm9wg.net", "dbsjsa.net", "ziduh.com", "track-website.website", "societalfusion.com", "in-homenannies.com", "sudhakarfurniture.com", "services-nz.com", "obi4ex.com", "geniepinie.com", "dilossearticle.com", "changecamps.com", "meganfantastic.com", "jaisl11.com", "sciencebasedmasks.com", "candydulce.com", "tetra-oil.com", "mkpricephoto.com", "hayvankayit.com", "ellasween.com", "gracelandofkrotzsprings.com", "dndemystified.com", "blinbins.com", "lolasvibe.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: KY4cmAI0jU.exeVirustotal: Detection: 34%Perma Link
          Source: KY4cmAI0jU.exeMetadefender: Detection: 17%Perma Link
          Source: KY4cmAI0jU.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: KY4cmAI0jU.exeJoe Sandbox ML: detected
          Source: 6.2.help.exe.3407960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.KY4cmAI0jU.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.KY4cmAI0jU.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 6.2.help.exe.9fd7e8.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: KY4cmAI0jU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wntdll.pdbUGP source: KY4cmAI0jU.exe, 00000000.00000003.213745090.00000000099C0000.00000004.00000001.sdmp, KY4cmAI0jU.exe, 00000001.00000002.266159838.0000000000AA0000.00000040.00000001.sdmp, help.exe, 00000006.00000002.481376973.0000000002FEF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: KY4cmAI0jU.exe, help.exe
          Source: Binary string: help.pdbGCTL source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: KY4cmAI0jU.exe, 00000001.00000002.266136705.0000000000A40000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop ebx1_2_00406A9A
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop edi1_2_00415659
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop edi1_2_00415671
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop ebx1_1_00406A9A
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop edi1_1_00415659
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 4x nop then pop edi1_1_00415671
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx6_2_00566A9B
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi6_2_00575659
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi6_2_00575671

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49730 -> 172.67.206.33:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49738 -> 104.21.89.72:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 3.34.12.41:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.alberthospice.com/sh2m/
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.take-me-bergen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.starflexacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ladorreguita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.candydulce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.insurancedowntown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ezonkorea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.dndemystified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 3.143.65.214 3.143.65.214
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=Y4nA7D8ZanudJV/n7ckHSBWOhW22WEJR/asQiGNTmjaNDyrYZ8Q/zKqiBMBjk5weHegN&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.take-me-bergen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=CQ6AMTNmXrT6GsHyvLqygrxreupfdtmN+4T1XtvAXMgditzRj6Y1Xuw537ryrSqhWitY&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.starflexacademy.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=AN9Dli3eSwBxhLN7Z92H8FzDOGpUzm7G3BkkvfgYwC6zoN6kwH9F+lw53Jt7Bui6OWXD&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ladorreguita.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=Qqwfsv61LD8gOSv2HQNs13/ILT3hkPAGuV1QQZOHa/kG/rdN/rA5QVkGcwq5olxFBDS9&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.candydulce.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=c9aUCvLa9Ql2a6xFKe5xJWdXulTfAnmJmW0relGKzVi+CMwVFA49Zy8Fshmf8yObHaZC&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.insurancedowntown.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=UiVwUNrNLQfwtohPmVYH70t5lUixURpqlrLqHTUDsyREBVD/9Tpqi3FDGPs9lJ3zNa3b&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.ezonkorea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=e+6U2v/464/49Vrt/4yGVwpDKMjmMUzpCV508o5/z2Kz7+x90JHivdh29zvGxsTtrzAO&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.dndemystified.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh2m/?i0=uHvpiI6aXo2y2Po+6svR0qIfr0jRx6IK9412etvelJearRBAFXnPloN9l4KAKLF+tazG&4huxZr=02MtK8MPsR3L HTTP/1.1Host: www.meganfantastic.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.take-me-bergen.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 11 Jun 2021 07:03:07 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000002.00000000.235645842.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: KY4cmAI0jU.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: KY4cmAI0jU.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.235828489.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
          Source: help.exe, 00000006.00000002.482952749.0000000003582000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.479659636.0000000000B20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.266058058.00000000009E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.218657751.0000000002170000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.477991027.0000000000560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.265737304.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.266028847.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.479612487.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.216588771.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.KY4cmAI0jU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.KY4cmAI0jU.exe.2170000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.KY4cmAI0jU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004181D0 NtCreateFile,1_2_004181D0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00418280 NtReadFile,1_2_00418280
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00418300 NtClose,1_2_00418300
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004183B0 NtAllocateVirtualMemory,1_2_004183B0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041827B NtCreateFile,1_2_0041827B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004182FD NtClose,1_2_004182FD
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004183AB NtAllocateVirtualMemory,1_2_004183AB
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B098F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00B098F0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00B09860
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09840 NtDelayExecution,LdrInitializeThunk,1_2_00B09840
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B099A0 NtCreateSection,LdrInitializeThunk,1_2_00B099A0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00B09910
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A20 NtResumeThread,LdrInitializeThunk,1_2_00B09A20
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00B09A00
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A50 NtCreateFile,LdrInitializeThunk,1_2_00B09A50
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B095D0 NtClose,LdrInitializeThunk,1_2_00B095D0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09540 NtReadFile,LdrInitializeThunk,1_2_00B09540
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B096E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00B096E0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00B09660
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B097A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00B097A0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09780 NtMapViewOfSection,LdrInitializeThunk,1_2_00B09780
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09FE0 NtCreateMutant,LdrInitializeThunk,1_2_00B09FE0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09710 NtQueryInformationToken,LdrInitializeThunk,1_2_00B09710
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B098A0 NtWriteVirtualMemory,1_2_00B098A0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09820 NtEnumerateKey,1_2_00B09820
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0B040 NtSuspendThread,1_2_00B0B040
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B099D0 NtCreateProcessEx,1_2_00B099D0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09950 NtQueueApcThread,1_2_00B09950
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A80 NtOpenDirectoryObject,1_2_00B09A80
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09A10 NtQuerySection,1_2_00B09A10
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0A3B0 NtGetContextThread,1_2_00B0A3B0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09B00 NtSetValueKey,1_2_00B09B00
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B095F0 NtQueryInformationFile,1_2_00B095F0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0AD30 NtSetContextThread,1_2_00B0AD30
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09520 NtWaitForSingleObject,1_2_00B09520
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09560 NtWriteFile,1_2_00B09560
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B096D0 NtCreateKey,1_2_00B096D0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09610 NtEnumerateValueKey,1_2_00B09610
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09670 NtQueryInformationProcess,1_2_00B09670
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09650 NtQueryValueKey,1_2_00B09650
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09730 NtQueryVirtualMemory,1_2_00B09730
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0A710 NtOpenProcessToken,1_2_00B0A710
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09770 NtSetInformationFile,1_2_00B09770
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B0A770 NtOpenThread,1_2_00B0A770
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B09760 NtOpenProcess,1_2_00B09760
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004181D0 NtCreateFile,1_1_004181D0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00418280 NtReadFile,1_1_00418280
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00418300 NtClose,1_1_00418300
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004183B0 NtAllocateVirtualMemory,1_1_004183B0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041827B NtCreateFile,1_1_0041827B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004182FD NtClose,1_1_004182FD
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004183AB NtAllocateVirtualMemory,1_1_004183AB
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A50 NtCreateFile,LdrInitializeThunk,6_2_02F39A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39860 NtQuerySystemInformation,LdrInitializeThunk,6_2_02F39860
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39840 NtDelayExecution,LdrInitializeThunk,6_2_02F39840
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F399A0 NtCreateSection,LdrInitializeThunk,6_2_02F399A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_02F39910
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F396E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_02F396E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F396D0 NtCreateKey,LdrInitializeThunk,6_2_02F396D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_02F39660
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39650 NtQueryValueKey,LdrInitializeThunk,6_2_02F39650
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39FE0 NtCreateMutant,LdrInitializeThunk,6_2_02F39FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39780 NtMapViewOfSection,LdrInitializeThunk,6_2_02F39780
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39710 NtQueryInformationToken,LdrInitializeThunk,6_2_02F39710
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F395D0 NtClose,LdrInitializeThunk,6_2_02F395D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39540 NtReadFile,LdrInitializeThunk,6_2_02F39540
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A80 NtOpenDirectoryObject,6_2_02F39A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A20 NtResumeThread,6_2_02F39A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A10 NtQuerySection,6_2_02F39A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39A00 NtProtectVirtualMemory,6_2_02F39A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3A3B0 NtGetContextThread,6_2_02F3A3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39B00 NtSetValueKey,6_2_02F39B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F398F0 NtReadVirtualMemory,6_2_02F398F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F398A0 NtWriteVirtualMemory,6_2_02F398A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3B040 NtSuspendThread,6_2_02F3B040
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39820 NtEnumerateKey,6_2_02F39820
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F399D0 NtCreateProcessEx,6_2_02F399D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39950 NtQueueApcThread,6_2_02F39950
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39670 NtQueryInformationProcess,6_2_02F39670
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39610 NtEnumerateValueKey,6_2_02F39610
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F397A0 NtUnmapViewOfSection,6_2_02F397A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3A770 NtOpenThread,6_2_02F3A770
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39770 NtSetInformationFile,6_2_02F39770
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39760 NtOpenProcess,6_2_02F39760
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39730 NtQueryVirtualMemory,6_2_02F39730
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3A710 NtOpenProcessToken,6_2_02F3A710
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F395F0 NtQueryInformationFile,6_2_02F395F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39560 NtWriteFile,6_2_02F39560
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F3AD30 NtSetContextThread,6_2_02F3AD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_02F39520 NtWaitForSingleObject,6_2_02F39520
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_005781D0 NtCreateFile,6_2_005781D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00578280 NtReadFile,6_2_00578280
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_00578300 NtClose,6_2_00578300
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_005783B0 NtAllocateVirtualMemory,6_2_005783B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_0057827B NtCreateFile,6_2_0057827B
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_005782FD NtClose,6_2_005782FD
          Source: C:\Windows\SysWOW64\help.exeCode function: 6_2_005783AB NtAllocateVirtualMemory,6_2_005783AB
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_004048530_2_00404853
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_004061310_2_00406131
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 0_2_73751A980_2_73751A98
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041C87B1_2_0041C87B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_004011741_2_00401174
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041BA9A1_2_0041BA9A
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00408C6B1_2_00408C6B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00408C701_2_00408C70
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041CC9C1_2_0041CC9C
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041C5481_2_0041C548
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041BDD41_2_0041BDD4
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_0041C7AF1_2_0041C7AF
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF20A01_2_00AF20A0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B920A81_2_00B920A8
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADB0901_2_00ADB090
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B928EC1_2_00B928EC
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B9E8241_2_00B9E824
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA8301_2_00AEA830
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B810021_2_00B81002
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE99BF1_2_00AE99BF
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE41201_2_00AE4120
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ACF9001_2_00ACF900
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B922AE1_2_00B922AE
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B84AEF1_2_00B84AEF
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB2361_2_00AEB236
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B7FA2B1_2_00B7FA2B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFEBB01_2_00AFEBB0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF138B1_2_00AF138B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B723E31_2_00B723E3
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B803DA1_2_00B803DA
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8DBD21_2_00B8DBD2
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AFABD81_2_00AFABD8
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B92B281_2_00B92B28
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEA3091_2_00AEA309
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEAB401_2_00AEAB40
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B6CB4F1_2_00B6CB4F
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B844961_2_00B84496
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AD841F1_2_00AD841F
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AEB4771_2_00AEB477
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8D4661_2_00B8D466
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AF25811_2_00AF2581
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B82D821_2_00B82D82
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00ADD5E01_2_00ADD5E0
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B925DD1_2_00B925DD
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AC0D201_2_00AC0D20
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B92D071_2_00B92D07
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B91D551_2_00B91D55
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B92EF71_2_00B92EF7
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00AE6E301_2_00AE6E30
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B8D6161_2_00B8D616
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B91FF11_2_00B91FF1
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_2_00B9DFCE1_2_00B9DFCE
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041C87B1_1_0041C87B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_004011741_1_00401174
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041BA9A1_1_0041BA9A
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00408C6B1_1_00408C6B
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00408C701_1_00408C70
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041CC9C1_1_0041CC9C
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041C5481_1_0041C548
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041BDD41_1_0041BDD4
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00402D871_1_00402D87
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Users\user\Desktop\KY4cmAI0jU.exeCode function: 1_1_0041C7AF