Loading ...

Play interactive tourEdit tour

Windows Analysis Report #6495PI-29458-2020.exe

Overview

General Information

Sample Name:#6495PI-29458-2020.exe
Analysis ID:452525
MD5:020c3201638570f2858099e3e522a9a0
SHA1:c3977925522b50fc59c2d2e1e014e24052d36fce
SHA256:24e635e80cecd03066225b27fdb524c4542586b22dc820e05f8a02072008c674
Tags:exeformbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses netsh to modify the Windows network and firewall settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • #6495PI-29458-2020.exe (PID: 5040 cmdline: 'C:\Users\user\Desktop\#6495PI-29458-2020.exe' MD5: 020C3201638570F2858099E3E522A9A0)
    • #6495PI-29458-2020.exe (PID: 4372 cmdline: {path} MD5: 020C3201638570F2858099E3E522A9A0)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 5852 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 5864 cmdline: /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3316 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nouolive.com/wt5i/"], "decoy": ["mydreamct.com", "vadicore.com", "choicemango.com", "projectsolutionspro.com", "ncg.xyz", "goio.digital", "ee-secure-account.com", "criminalstudy.com", "fsjuanzhi.com", "pont-travaux-public.com", "agencepartenaire.com", "jlsyzm.com", "prosselius.com", "woodendgroups.com", "thereproducts.site", "sigmagrupo.net", "chelseagracia.com", "fusosstore.com", "chrissypips.trade", "mvlxplcswa.com", "sneguard.com", "travellingcomet.com", "ledbydesign.asia", "yaysondaj.com", "recoverydharma.guide", "peak8000.com", "alltranslation.xyz", "igorkozel.com", "x-box2send.club", "campgoodco.com", "arrowinvestments-technology.com", "naturally-preserved.com", "vk-authorization.site", "xn--12cfjb7d8dd4ftb6cr0g5e.net", "losjazminesdelamolina.com", "farmaciamoyatoledo134fmas.com", "sgainme.com", "corcoran.network", "nestarchitectural.com", "nnltsy.com", "wyoming-interactive.net", "laomao.site", "qiwuwenhua.com", "conectals.com", "wanggou0579.com", "nanmedia.info", "kindredheatrsteam.com", "passiveincomeincubator.com", "eletroclimaks.com", "getbackmode.com", "clearvuetaxadvisors.com", "pick-assiette.com", "tribelinx.com", "1bodymobile.com", "united-for-humanity.net", "hoatao.xyz", "isbpestcontrol.com", "nieght.com", "pinoyhoustontv.com", "bloochy.com", "greatestpotever.com", "onikidil.com", "inspirainstitute.com", "yourcariq.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.440393594.0000000002A08000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 15 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        13.2.#6495PI-29458-2020.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          13.2.#6495PI-29458-2020.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          13.2.#6495PI-29458-2020.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x175f9:$sqlite3step: 68 34 1C 7B E1
          • 0x1770c:$sqlite3step: 68 34 1C 7B E1
          • 0x17628:$sqlite3text: 68 38 2A 90 C5
          • 0x1774d:$sqlite3text: 68 38 2A 90 C5
          • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
          13.2.#6495PI-29458-2020.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            13.2.#6495PI-29458-2020.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nouolive.com/wt5i/"], "decoy": ["mydreamct.com", "vadicore.com", "choicemango.com", "projectsolutionspro.com", "ncg.xyz", "goio.digital", "ee-secure-account.com", "criminalstudy.com", "fsjuanzhi.com", "pont-travaux-public.com", "agencepartenaire.com", "jlsyzm.com", "prosselius.com", "woodendgroups.com", "thereproducts.site", "sigmagrupo.net", "chelseagracia.com", "fusosstore.com", "chrissypips.trade", "mvlxplcswa.com", "sneguard.com", "travellingcomet.com", "ledbydesign.asia", "yaysondaj.com", "recoverydharma.guide", "peak8000.com", "alltranslation.xyz", "igorkozel.com", "x-box2send.club", "campgoodco.com", "arrowinvestments-technology.com", "naturally-preserved.com", "vk-authorization.site", "xn--12cfjb7d8dd4ftb6cr0g5e.net", "losjazminesdelamolina.com", "farmaciamoyatoledo134fmas.com", "sgainme.com", "corcoran.network", "nestarchitectural.com", "nnltsy.com", "wyoming-interactive.net", "laomao.site", "qiwuwenhua.com", "conectals.com", "wanggou0579.com", "nanmedia.info", "kindredheatrsteam.com", "passiveincomeincubator.com", "eletroclimaks.com", "getbackmode.com", "clearvuetaxadvisors.com", "pick-assiette.com", "tribelinx.com", "1bodymobile.com", "united-for-humanity.net", "hoatao.xyz", "isbpestcontrol.com", "nieght.com", "pinoyhoustontv.com", "bloochy.com", "greatestpotever.com", "onikidil.com", "inspirainstitute.com", "yourcariq.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: #6495PI-29458-2020.exeReversingLabs: Detection: 19%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY
            Machine Learning detection for sampleShow sources
            Source: #6495PI-29458-2020.exeJoe Sandbox ML: detected
            Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: #6495PI-29458-2020.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: #6495PI-29458-2020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp
            Source: Binary string: netsh.pdb source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
            Source: Binary string: netsh.pdbGCTL source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: #6495PI-29458-2020.exe, 0000000D.00000002.498156199.0000000001C2F000.00000040.00000001.sdmp, netsh.exe, 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: #6495PI-29458-2020.exe, netsh.exe
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.nouolive.com/wt5i/
            Performs DNS queries to domains with low reputationShow sources
            Source: C:\Windows\explorer.exeDNS query: www.hoatao.xyz
            Source: global trafficHTTP traffic detected: GET /wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g== HTTP/1.1Host: www.hoatao.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7+l+fr5rYWJObsKdpXRzMG7/vctLDNQEZfSzrEr5AJ0mQFbfi1yOCsf5g== HTTP/1.1Host: www.hoatao.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.hoatao.xyz
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 0000000E.00000000.443706062.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: #6495PI-29458-2020.exe, 00000000.00000003.345121242.000000000108B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: #6495PI-29458-2020.exe, 00000000.00000003.345638270.00000000054E2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: #6495PI-29458-2020.exe, 00000000.00000003.345312048.00000000054E2000.00000004.00000001.sdmp, #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comf
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447012611.00000000054B0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: #6495PI-29458-2020.exe, 00000000.00000003.347449500.00000000054E2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm92
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/%
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/I
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0trP
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/%
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/B
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/I
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343230134.00000000054B9000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/t
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343574431.00000000054BA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/m
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343929858.00000000054BA000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-u3
            Source: #6495PI-29458-2020.exe, 00000000.00000003.343032173.00000000054B3000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ww.m
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: #6495PI-29458-2020.exe, 00000000.00000002.447780636.00000000056C2000.00000004.00000001.sdmp, explorer.exe, 0000000E.00000000.462632067.000000000B1A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: netsh.exe, 00000014.00000002.608434509.000000000412F000.00000004.00000001.sdmpString found in binary or memory: https://www.hoatao.xyz/wt5i/?q0DD6=2dfL90cX&8pjDV6=tXijk4hnD7izr0wZK7
            Source: #6495PI-29458-2020.exe, 00000000.00000002.439309006.0000000000D08000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00419D50 NtCreateFile,13_2_00419D50
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00419E00 NtReadFile,13_2_00419E00
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00419E80 NtClose,13_2_00419E80
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00419F30 NtAllocateVirtualMemory,13_2_00419F30
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00419D4C NtCreateFile,13_2_00419D4C
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00419DFB NtReadFile,13_2_00419DFB
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00419F2A NtAllocateVirtualMemory,13_2_00419F2A
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B799A0 NtCreateSection,LdrInitializeThunk,13_2_01B799A0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_01B79910
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B798F0 NtReadVirtualMemory,LdrInitializeThunk,13_2_01B798F0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79860 NtQuerySystemInformation,LdrInitializeThunk,13_2_01B79860
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79840 NtDelayExecution,LdrInitializeThunk,13_2_01B79840
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79A20 NtResumeThread,LdrInitializeThunk,13_2_01B79A20
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79A00 NtProtectVirtualMemory,LdrInitializeThunk,13_2_01B79A00
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79A50 NtCreateFile,LdrInitializeThunk,13_2_01B79A50
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B795D0 NtClose,LdrInitializeThunk,13_2_01B795D0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79540 NtReadFile,LdrInitializeThunk,13_2_01B79540
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B797A0 NtUnmapViewOfSection,LdrInitializeThunk,13_2_01B797A0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79780 NtMapViewOfSection,LdrInitializeThunk,13_2_01B79780
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79710 NtQueryInformationToken,LdrInitializeThunk,13_2_01B79710
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B796E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_01B796E0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_01B79660
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B799D0 NtCreateProcessEx,13_2_01B799D0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79950 NtQueueApcThread,13_2_01B79950
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B798A0 NtWriteVirtualMemory,13_2_01B798A0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79820 NtEnumerateKey,13_2_01B79820
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B7B040 NtSuspendThread,13_2_01B7B040
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B7A3B0 NtGetContextThread,13_2_01B7A3B0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79B00 NtSetValueKey,13_2_01B79B00
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79A80 NtOpenDirectoryObject,13_2_01B79A80
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79A10 NtQuerySection,13_2_01B79A10
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B795F0 NtQueryInformationFile,13_2_01B795F0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B7AD30 NtSetContextThread,13_2_01B7AD30
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79520 NtWaitForSingleObject,13_2_01B79520
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79560 NtWriteFile,13_2_01B79560
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79FE0 NtCreateMutant,13_2_01B79FE0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79730 NtQueryVirtualMemory,13_2_01B79730
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B7A710 NtOpenProcessToken,13_2_01B7A710
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B7A770 NtOpenThread,13_2_01B7A770
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79770 NtSetInformationFile,13_2_01B79770
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79760 NtOpenProcess,13_2_01B79760
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B796D0 NtCreateKey,13_2_01B796D0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79610 NtEnumerateValueKey,13_2_01B79610
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79670 NtQueryInformationProcess,13_2_01B79670
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B79650 NtQueryValueKey,13_2_01B79650
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779710 NtQueryInformationToken,LdrInitializeThunk,20_2_03779710
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779FE0 NtCreateMutant,LdrInitializeThunk,20_2_03779FE0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779780 NtMapViewOfSection,LdrInitializeThunk,20_2_03779780
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779A50 NtCreateFile,LdrInitializeThunk,20_2_03779A50
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037796E0 NtFreeVirtualMemory,LdrInitializeThunk,20_2_037796E0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037796D0 NtCreateKey,LdrInitializeThunk,20_2_037796D0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779540 NtReadFile,LdrInitializeThunk,20_2_03779540
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779910 NtAdjustPrivilegesToken,LdrInitializeThunk,20_2_03779910
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037795D0 NtClose,LdrInitializeThunk,20_2_037795D0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037799A0 NtCreateSection,LdrInitializeThunk,20_2_037799A0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779860 NtQuerySystemInformation,LdrInitializeThunk,20_2_03779860
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779840 NtDelayExecution,LdrInitializeThunk,20_2_03779840
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779770 NtSetInformationFile,20_2_03779770
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0377A770 NtOpenThread,20_2_0377A770
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779760 NtOpenProcess,20_2_03779760
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779730 NtQueryVirtualMemory,20_2_03779730
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0377A710 NtOpenProcessToken,20_2_0377A710
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779B00 NtSetValueKey,20_2_03779B00
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0377A3B0 NtGetContextThread,20_2_0377A3B0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037797A0 NtUnmapViewOfSection,20_2_037797A0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779670 NtQueryInformationProcess,20_2_03779670
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779660 NtAllocateVirtualMemory,20_2_03779660
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779650 NtQueryValueKey,20_2_03779650
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779A20 NtResumeThread,20_2_03779A20
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779610 NtEnumerateValueKey,20_2_03779610
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779A10 NtQuerySection,20_2_03779A10
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779A00 NtProtectVirtualMemory,20_2_03779A00
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779A80 NtOpenDirectoryObject,20_2_03779A80
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779560 NtWriteFile,20_2_03779560
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779950 NtQueueApcThread,20_2_03779950
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0377AD30 NtSetContextThread,20_2_0377AD30
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779520 NtWaitForSingleObject,20_2_03779520
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037795F0 NtQueryInformationFile,20_2_037795F0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037799D0 NtCreateProcessEx,20_2_037799D0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0377B040 NtSuspendThread,20_2_0377B040
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03779820 NtEnumerateKey,20_2_03779820
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037798F0 NtReadVirtualMemory,20_2_037798F0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037798A0 NtWriteVirtualMemory,20_2_037798A0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03129E00 NtReadFile,20_2_03129E00
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03129E80 NtClose,20_2_03129E80
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03129D50 NtCreateFile,20_2_03129D50
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03129D4C NtCreateFile,20_2_03129D4C
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03129DFB NtReadFile,20_2_03129DFB
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA10700_2_00FA1070
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA31680_2_00FA3168
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA22180_2_00FA2218
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA04710_2_00FA0471
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA18180_2_00FA1818
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA40680_2_00FA4068
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA30600_2_00FA3060
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA40580_2_00FA4058
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA52600_2_00FA5260
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA52510_2_00FA5251
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA54980_2_00FA5498
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA54880_2_00FA5488
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA57600_2_00FA5760
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA57510_2_00FA5751
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA59310_2_00FA5931
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_00FA0FC10_2_00FA0FC1
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0040103013_2_00401030
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0041D19B13_2_0041D19B
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0041D34313_2_0041D343
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0041D49B13_2_0041D49B
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00402D8713_2_00402D87
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00402D9013_2_00402D90
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00409E3013_2_00409E30
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0041E70A13_2_0041E70A
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00402FB013_2_00402FB0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B5412013_2_01B54120
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B3F90013_2_01B3F900
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B620A013_2_01B620A0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B4B09013_2_01B4B090
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C028EC13_2_01C028EC
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C020A813_2_01C020A8
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01BF100213_2_01BF1002
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C0E82413_2_01C0E824
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B6EBB013_2_01B6EBB0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01BF03DA13_2_01BF03DA
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01BFDBD213_2_01BFDBD2
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C02B2813_2_01C02B28
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C022AE13_2_01C022AE
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C025DD13_2_01C025DD
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B6258113_2_01B62581
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B4D5E013_2_01B4D5E0
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B30D2013_2_01B30D20
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C01D5513_2_01C01D55
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C02D0713_2_01C02D07
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B4841F13_2_01B4841F
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01BFD46613_2_01BFD466
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C0DFCE13_2_01C0DFCE
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C01FF113_2_01C01FF1
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01C02EF713_2_01C02EF7
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B56E3013_2_01B56E30
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01BFD61613_2_01BFD616
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03801FF120_2_03801FF1
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0376EBB020_2_0376EBB0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03756E3020_2_03756E30
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03802EF720_2_03802EF7
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03730D2020_2_03730D20
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0375412020_2_03754120
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0373F90020_2_0373F900
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03802D0720_2_03802D07
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0374D5E020_2_0374D5E0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03801D5520_2_03801D55
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0376258120_2_03762581
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_038020A820_2_038020A8
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0374841F20_2_0374841F
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037F100220_2_037F1002
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_037620A020_2_037620A0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0374B09020_2_0374B090
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0312D34320_2_0312D343
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0312D19B20_2_0312D19B
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03112FB020_2_03112FB0
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03119E3020_2_03119E30
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03112D9020_2_03112D90
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03112D8720_2_03112D87
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: String function: 01B3B150 appears 45 times
            Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 0373B150 appears 35 times
            Source: #6495PI-29458-2020.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: #6495PI-29458-2020.exe, 00000000.00000002.449589021.0000000007710000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs #6495PI-29458-2020.exe
            Source: #6495PI-29458-2020.exe, 00000000.00000000.334894034.0000000000607000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameiH1Ql.exe2 vs #6495PI-29458-2020.exe
            Source: #6495PI-29458-2020.exe, 00000000.00000002.440896694.0000000002C7D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs #6495PI-29458-2020.exe
            Source: #6495PI-29458-2020.exe, 00000000.00000002.444904187.0000000004DE0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs #6495PI-29458-2020.exe
            Source: #6495PI-29458-2020.exe, 0000000D.00000000.437934792.0000000000F87000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameiH1Ql.exe2 vs #6495PI-29458-2020.exe
            Source: #6495PI-29458-2020.exe, 0000000D.00000002.497442068.00000000019EC000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs #6495PI-29458-2020.exe
            Source: #6495PI-29458-2020.exe, 0000000D.00000002.498156199.0000000001C2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs #6495PI-29458-2020.exe
            Source: #6495PI-29458-2020.exeBinary or memory string: OriginalFilenameiH1Ql.exe2 vs #6495PI-29458-2020.exe
            Source: #6495PI-29458-2020.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 13.2.#6495PI-29458-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 13.2.#6495PI-29458-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000014.00000002.604028874.0000000000B50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000014.00000002.605088618.0000000003110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.442703762.00000000039A1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.496436603.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.496991473.0000000001810000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.497054579.0000000001840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: #6495PI-29458-2020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@1/1
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\#6495PI-29458-2020.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3316:120:WilError_01
            Source: #6495PI-29458-2020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: #6495PI-29458-2020.exeReversingLabs: Detection: 19%
            Source: #6495PI-29458-2020.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
            Source: #6495PI-29458-2020.exeString found in binary or memory: es>false</DisallowStartIfOnBatteries> <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries> <AllowHardTerminate>false</AllowHardTerminate> <StartWhenAvailable>true</StartWhenAvailable> <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvail
            Source: #6495PI-29458-2020.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
            Source: #6495PI-29458-2020.exeString found in binary or memory: ble> <IdleSettings> <StopOnIdleEnd>true</StopOnIdleEnd> <RestartOnIdle>false</RestartOnIdle> </IdleSettings> <AllowStartOnDemand>true</AllowStartOnDemand> <Enabled>true</Enabled> <Hidden>false</Hidden> <RunOnlyIfIdle
            Source: unknownProcess created: C:\Users\user\Desktop\#6495PI-29458-2020.exe 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess created: C:\Users\user\Desktop\#6495PI-29458-2020.exe {path}
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess created: C:\Users\user\Desktop\#6495PI-29458-2020.exe {path}Jump to behavior
            Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\#6495PI-29458-2020.exe'Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: #6495PI-29458-2020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: #6495PI-29458-2020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp
            Source: Binary string: netsh.pdb source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
            Source: Binary string: netsh.pdbGCTL source: #6495PI-29458-2020.exe, 0000000D.00000002.497334221.00000000019D0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: #6495PI-29458-2020.exe, 0000000D.00000002.498156199.0000000001C2F000.00000040.00000001.sdmp, netsh.exe, 00000014.00000002.606306317.000000000382F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: #6495PI-29458-2020.exe, netsh.exe
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000E.00000000.464626277.000000000DC20000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: #6495PI-29458-2020.exe, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.#6495PI-29458-2020.exe.520000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.#6495PI-29458-2020.exe.520000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 13.0.#6495PI-29458-2020.exe.ea0000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 13.2.#6495PI-29458-2020.exe.ea0000.1.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 0_2_04E51440 push ebp; retf 0_2_04E51441
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_00404246 push 4F62DEB6h; retf 13_2_0040424B
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0041CEF2 push eax; ret 13_2_0041CEF8
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0041CEFB push eax; ret 13_2_0041CF62
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0041CEA5 push eax; ret 13_2_0041CEF8
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0041CF5C push eax; ret 13_2_0041CF62
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_0041CF89 push eax; ret 13_2_0041CF62
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeCode function: 13_2_01B8D0D1 push ecx; ret 13_2_01B8D0E4
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0378D0D1 push ecx; ret 20_2_0378D0E4
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_03114246 push 4F62DEB6h; retf 20_2_0311424B
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0312D865 push esi; retf 20_2_0312D866
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0312CF5C push eax; ret 20_2_0312CF62
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0312CF89 push eax; ret 20_2_0312CF62
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0312CEA5 push eax; ret 20_2_0312CEF8
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0312CEF2 push eax; ret 20_2_0312CEF8
            Source: C:\Windows\SysWOW64\netsh.exeCode function: 20_2_0312CEFB push eax; ret 20_2_0312CF62
            Source: initial sampleStatic PE information: section name: .text entropy: 7.7536017706

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x82 0x2E 0xEB
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\#6495PI-29458-2020.exe