Loading ...

Play interactive tourEdit tour

Windows Analysis Report v8kZUFgdD4.exe

Overview

General Information

Sample Name:v8kZUFgdD4.exe
Analysis ID:452667
MD5:57f3ae2842ffb5ceea386d0b97a52818
SHA1:68423398d025d3cbbb944ee4c3cea5501df67761
SHA256:a0c7b3d44a5cfcda917fc80c099da5ab3de582ff7c24f1373b4bd25f88d61e52
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • v8kZUFgdD4.exe (PID: 724 cmdline: 'C:\Users\user\Desktop\v8kZUFgdD4.exe' MD5: 57F3AE2842FFB5CEEA386D0B97A52818)
    • v8kZUFgdD4.exe (PID: 6148 cmdline: 'C:\Users\user\Desktop\v8kZUFgdD4.exe' MD5: 57F3AE2842FFB5CEEA386D0B97A52818)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6580 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 6744 cmdline: /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        0.2.v8kZUFgdD4.exe.21d0000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.v8kZUFgdD4.exe.21d0000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 8 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.findfoodshop.com/dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPxAvira URL Cloud: Label: malware
          Source: http://www.invisiongc.net/dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPxAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.extinctionbrews.com/dy8g/"], "decoy": ["mzyxi-rkah-y.net", "okinawarongnho.com", "qq66520.com", "nimbus.watch", "cwdelrio.com", "regalshopper.com", "avito-payment.life", "jorgeporcayo.com", "galvinsky.digital", "guys-only.com", "asmfruits-almacenes.com", "boatrace-life04.net", "cochez.club", "thelastvictor.net", "janieleconte.com", "ivoirepneus.com", "saludflv.info", "mydreamtv.net", "austinphy.com", "cajunseafoodstcloud.com", "13006608192.com", "clear3media.com", "thegrowclinic.com", "findfoodshop.com", "livegaming.store", "greensei.com", "atmaapothecary.com", "builtbydawn.com", "wthcoffee.com", "melodezu.com", "oikoschain.com", "matcitekids.com", "killrstudio.com", "doityourselfism.com", "monsoonnerd.com", "swissbankmusic.com", "envisionfordheights.com", "invisiongc.net", "aizaibali.com", "professioneconsulenza.net", "chaneabond.com", "theamercianhouseboat.com", "scuolatua.com", "surivaganza.com", "xn--vuq722jwngjre.com", "quiteimediato.space", "ecofingers.com", "manageoceanaccount.com", "cindywillardrealtor.com", "garimpeirastore.online", "tinsley.website", "fitnesstwentytwenty.com", "thenorthgoldline.com", "scuolacounselingroma.com", "iwccgroup.com", "wideawakemomma.com", "anthonysavillemiddleschool.com", "sprinkleresources.com", "ravexim3.com", "onedadtwodudes.com", "shxytl.com", "iriscloudvideo.com", "theshapecreator.com", "vermogenswerte.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: v8kZUFgdD4.exeVirustotal: Detection: 38%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: 7.2.ipconfig.exe.3ac7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.v8kZUFgdD4.exe.2190000.1.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.ipconfig.exe.11406b0.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.v8kZUFgdD4.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: v8kZUFgdD4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: Binary string: ipconfig.pdb source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: v8kZUFgdD4.exe, 00000000.00000003.338578386.0000000002500000.00000004.00000001.sdmp, v8kZUFgdD4.exe, 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, ipconfig.exe, 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: v8kZUFgdD4.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 4x nop then pop esi1_2_00415852
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 4x nop then pop ebx1_2_00406A98
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 4x nop then pop edi1_2_00415699
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop esi7_2_00EB5852
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx7_2_00EA6A99
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi7_2_00EB5699

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 52.58.78.16:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 103.138.88.11:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 103.138.88.11:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49762 -> 103.138.88.11:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 162.241.62.54:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 162.241.62.54:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49763 -> 162.241.62.54:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.extinctionbrews.com/dy8g/
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx HTTP/1.1Host: www.ecofingers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx HTTP/1.1Host: www.findfoodshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx HTTP/1.1Host: www.okinawarongnho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DjnY/S7/G1yk/GGdjnbMG0pwlAlipgBY8a8MDSEvYTAaE8/8s3MkSQswoGP3cSH4hj9/IphBwA==&0X=C6Ah3vPx HTTP/1.1Host: www.extinctionbrews.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=Y4JBfBjBKMGzbUzrNu+ARLK4ZQab+dap1kq40YSvqSzyJ/mfRg4U9+Lz1eKJfRLK3cAmaa0bkw==&0X=C6Ah3vPx HTTP/1.1Host: www.doityourselfism.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=X9Az7RthaT8xdqkxQ6tJRjQeFUHqBPh6fb7YU5dnwYv1rghxnAYW3P4f0krKlocv9Wl7uwWiww==&0X=C6Ah3vPx HTTP/1.1Host: www.ecofingers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=MBhh1pO56K3YrZO9qJkl6N96HaWfS+D/lXW6/vw2t4O2Fl+GB2YqMK2ZraksguVxeKRya9uu2A==&0X=C6Ah3vPx HTTP/1.1Host: www.invisiongc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=4wzaECy4GBTuQnITbNLpu7AOQbyqIYrzJAsJNgGB2dTR99UQwJdt+FpFkOawEfEVdOlYoXAvoA==&0X=C6Ah3vPx HTTP/1.1Host: www.findfoodshop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3+VBHaRIBYykQk9iPNEqtroWJ/WwLhcg==&0X=C6Ah3vPx HTTP/1.1Host: www.scuolatua.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=uor47PkOoKkLY099HuArMxw1XFE/ncsTlzCE/ODY21NzZk1xVsb5QvrTgLDn7S7AYBCRuXEk2w==&0X=C6Ah3vPx HTTP/1.1Host: www.okinawarongnho.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dy8g/?i0GDM=q7jKWIuNsoGkf7/hAqyN1U3v/GjJJAAs8Ri7ihl8JZVwqZwISrlxTPDImUVNZCFSYJzAIvZikA==&0X=C6Ah3vPx HTTP/1.1Host: www.jorgeporcayo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.aizaibali.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: privateContent-Type: text/html; charset=utf-8Server: Microsoft-IIS/8.5X-Powered-By: ASP.NETDate: Thu, 22 Jul 2021 15:44:03 GMTConnection: closeContent-Length: 5045Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 20 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 20 0a 3c 68 65 61 64 3e 20 0a 3c 74 69 74 6c 65 3e 49 49 53 20 38 2e 35 20 44 65 74 61 69 6c 65 64 20 45 72 72 6f 72 20 2d 20 34 30 34 2e 30 20 2d 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 20 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 20 0a 3c 21 2d 2d 20 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 41 72 69 61 6c 2c 48 65 6c 76 65 74 69 63 61 2c 73 61 6e 73 2d 73 65 72 69 66 3b 7d 20 0a 63 6f 64 65 7b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 30 30 36 36 30 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 31 65 6d 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 2e 63 6f 6e 66 69 67 5f 73 6f 75 72 63 65 20 63 6f 64 65 7b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 38 65 6d 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0a 70 72 65 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 34 65 6d 3b 77 6f 72 64 2d 77 72 61 70 3a 62 72 65 61 6b 2d 77 6f 72 64 3b 7d 20 0a 75 6c 2c 6f 6c 7b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 31 30 70 78 20 35 70 78 3b 7d 20 0a 75 6c 2e 66 69 72 73 74 2c 6f 6c 2e 66 69 72 73 74 7b 6d 61 72 67 69 6e 2d 74 6f 70 3a 35 70 78 3b 7d 20 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 77 6f 72 64 2d 62 72 65 61 6b 3a 62 72 65 61 6b 2d 61 6c 6c 3b 7d 20 0a 2e 73 75 6d 6d 61 72 79 2d 63 6f 6e 74 61 69 6e 65 72 20 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 35 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 34 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 2e 6e 6f 2d 65 78 70 61 6e 64 2d 61 6c 6c 7b 70 61 64 64 69 6e 67 3a 32 70 78 20 31 35 70 78 20 34 70 78 20 31 30 70 78 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 2d 31 32 70 78 3b 7d 20 0a 6c 65 67 65 6e 64 7b 63 6f 6c 6f 72 3a 23 33 33 33 33 33 33 3b 3b 6d 61 72 67 69 6e 3a 34 70 78 20 30 20 38 70 78 20 2d 31 32 70 78 3b 5f 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 70 78 3b 20 0a 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 65 6d 3b 7d 20 0a 61 3a 6c 69 6e 6b 2c 61 3a 76 69 73 69 74 65 64 7b 63 6f 6c 6f 72 3a 23 30 30 37 45 46 46 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 7d 20 0a 61 3a 68 6f 76 65 72 7b 74 65 78 74 2d 64 65
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.343561590.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: ipconfig.exe, 00000007.00000002.601572909.0000000003C42000.00000004.00000001.sdmpString found in binary or memory: http://www.scuolatua.com:80/dy8g/?i0GDM=DyFQJ285GCHWDKdZkYvFextRb5KpVMjfJilCoJQfsM3
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.360323834.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004181D0 NtCreateFile,1_2_004181D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00418280 NtReadFile,1_2_00418280
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00418300 NtClose,1_2_00418300
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004183B0 NtAllocateVirtualMemory,1_2_004183B0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00418222 NtCreateFile,1_2_00418222
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004183AA NtAllocateVirtualMemory,1_2_004183AA
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A998F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A998F0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A99860
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99840 NtDelayExecution,LdrInitializeThunk,1_2_00A99840
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A999A0 NtCreateSection,LdrInitializeThunk,1_2_00A999A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A99910
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A20 NtResumeThread,LdrInitializeThunk,1_2_00A99A20
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A99A00
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A50 NtCreateFile,LdrInitializeThunk,1_2_00A99A50
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A995D0 NtClose,LdrInitializeThunk,1_2_00A995D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99540 NtReadFile,LdrInitializeThunk,1_2_00A99540
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A996E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A996E0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A99660
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A997A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A997A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A99780
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99FE0 NtCreateMutant,LdrInitializeThunk,1_2_00A99FE0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A99710
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A998A0 NtWriteVirtualMemory,1_2_00A998A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99820 NtEnumerateKey,1_2_00A99820
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A9B040 NtSuspendThread,1_2_00A9B040
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A999D0 NtCreateProcessEx,1_2_00A999D0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99950 NtQueueApcThread,1_2_00A99950
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A80 NtOpenDirectoryObject,1_2_00A99A80
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A99A10 NtQuerySection,1_2_00A99A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9710 NtQueryInformationToken,LdrInitializeThunk,7_2_035F9710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9FE0 NtCreateMutant,LdrInitializeThunk,7_2_035F9FE0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9780 NtMapViewOfSection,LdrInitializeThunk,7_2_035F9780
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A50 NtCreateFile,LdrInitializeThunk,7_2_035F9A50
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F96D0 NtCreateKey,LdrInitializeThunk,7_2_035F96D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_035F96E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9540 NtReadFile,LdrInitializeThunk,7_2_035F9540
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_035F9910
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F95D0 NtClose,LdrInitializeThunk,7_2_035F95D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F99A0 NtCreateSection,LdrInitializeThunk,7_2_035F99A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9840 NtDelayExecution,LdrInitializeThunk,7_2_035F9840
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_035F9860
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9770 NtSetInformationFile,7_2_035F9770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FA770 NtOpenThread,7_2_035FA770
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9760 NtOpenProcess,7_2_035F9760
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FA710 NtOpenProcessToken,7_2_035FA710
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9B00 NtSetValueKey,7_2_035F9B00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9730 NtQueryVirtualMemory,7_2_035F9730
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FA3B0 NtGetContextThread,7_2_035FA3B0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F97A0 NtUnmapViewOfSection,7_2_035F97A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9650 NtQueryValueKey,7_2_035F9650
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9670 NtQueryInformationProcess,7_2_035F9670
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9660 NtAllocateVirtualMemory,7_2_035F9660
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9610 NtEnumerateValueKey,7_2_035F9610
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A10 NtQuerySection,7_2_035F9A10
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A00 NtProtectVirtualMemory,7_2_035F9A00
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A20 NtResumeThread,7_2_035F9A20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9A80 NtOpenDirectoryObject,7_2_035F9A80
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9950 NtQueueApcThread,7_2_035F9950
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9560 NtWriteFile,7_2_035F9560
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FAD30 NtSetContextThread,7_2_035FAD30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9520 NtWaitForSingleObject,7_2_035F9520
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F99D0 NtCreateProcessEx,7_2_035F99D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F95F0 NtQueryInformationFile,7_2_035F95F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035FB040 NtSuspendThread,7_2_035FB040
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F9820 NtEnumerateKey,7_2_035F9820
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F98F0 NtReadVirtualMemory,7_2_035F98F0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035F98A0 NtWriteVirtualMemory,7_2_035F98A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB81D0 NtCreateFile,7_2_00EB81D0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB8280 NtReadFile,7_2_00EB8280
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB8300 NtClose,7_2_00EB8300
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB8222 NtCreateFile,7_2_00EB8222
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0040102E1_2_0040102E
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B8FB1_2_0041B8FB
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00408C6C1_2_00408C6C
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00408C701_2_00408C70
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B57A1_2_0041B57A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00402D881_2_00402D88
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041C58A1_2_0041C58A
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A820A01_2_00A820A0
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B220A81_2_00B220A8
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A6B0901_2_00A6B090
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00B110021_2_00B11002
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A741201_2_00A74120
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00A5F9001_2_00A5F900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035EEBB07_2_035EEBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D6E307_2_035D6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_03681D557_2_03681D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035BF9007_2_035BF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035B0D207_2_035B0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035D41207_2_035D4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CD5E07_2_035CD5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E25817_2_035E2581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035C841F7_2_035C841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_036710027_2_03671002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035CB0907_2_035CB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_035E20A07_2_035E20A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB8FB7_2_00EBB8FB
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA8C6C7_2_00EA8C6C
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA8C707_2_00EA8C70
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBC58A7_2_00EBC58A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA2D887_2_00EA2D88
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA2D907_2_00EA2D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB57A7_2_00EBB57A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA2FB07_2_00EA2FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 035BB150 appears 35 times
          Source: v8kZUFgdD4.exe, 00000000.00000003.333171421.0000000002486000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs v8kZUFgdD4.exe
          Source: v8kZUFgdD4.exe, 00000001.00000002.389800702.000000000060E000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs v8kZUFgdD4.exe
          Source: v8kZUFgdD4.exe, 00000001.00000002.390529849.0000000000CDF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs v8kZUFgdD4.exe
          Source: v8kZUFgdD4.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.v8kZUFgdD4.exe.21d0000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.v8kZUFgdD4.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.v8kZUFgdD4.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.599150521.0000000001330000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.389518635.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.597969689.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.341137782.00000000021D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.389832598.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.598432080.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.389732615.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.339035509.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/0@16/8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6760:120:WilError_01
          Source: v8kZUFgdD4.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: v8kZUFgdD4.exeVirustotal: Detection: 38%
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeFile read: C:\Users\user\Desktop\v8kZUFgdD4.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeProcess created: C:\Users\user\Desktop\v8kZUFgdD4.exe 'C:\Users\user\Desktop\v8kZUFgdD4.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\v8kZUFgdD4.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: Binary string: ipconfig.pdb source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: v8kZUFgdD4.exe, 00000001.00000002.389856707.0000000000A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: v8kZUFgdD4.exe, 00000000.00000003.338578386.0000000002500000.00000004.00000001.sdmp, v8kZUFgdD4.exe, 00000001.00000002.389979034.0000000000A30000.00000040.00000001.sdmp, ipconfig.exe, 00000007.00000002.599975463.0000000003590000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: v8kZUFgdD4.exe, ipconfig.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.363215324.000000000DC20000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeUnpacked PE file: 1.2.v8kZUFgdD4.exe.400000.0.unpack .text:ER;.rdata:R;.data:W; vs .text:ER;
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 0_2_00403DDB LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00403DDB
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004062F6 pushfd ; ret 1_2_004062F7
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B3C5 push eax; ret 1_2_0041B418
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_004153FC push eax; retf 1_2_0041540B
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B47C push eax; ret 1_2_0041B482
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B412 push eax; ret 1_2_0041B418
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041B41B push eax; ret 1_2_0041B482
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00415CE7 pushad ; ret 1_2_00415D4B
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_0041C4EE push 133511A3h; retf 1_2_0041C4F3
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00414D71 push ss; iretd 1_2_00414D72
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00415D38 pushad ; ret 1_2_00415D4B
          Source: C:\Users\user\Desktop\v8kZUFgdD4.exeCode function: 1_2_00AAD0D1 push ecx; ret 1_2_00AAD0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_0360D0D1 push ecx; ret 7_2_0360D0E4
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EA62F6 pushfd ; ret 7_2_00EA62F7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB53FC push eax; retf 7_2_00EB540B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB3C5 push eax; ret 7_2_00EBB418
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBC4EE push 133511A3h; retf 7_2_00EBC4F3
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB5CE7 pushad ; ret 7_2_00EB5D4B
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB47C push eax; ret 7_2_00EBB482
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB41B push eax; ret 7_2_00EBB482
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EBB412 push eax; ret 7_2_00EBB418
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB4D71 push ss; iretd 7_2_00EB4D72
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 7_2_00EB5D38 pushad ; ret 7_2_00EB5D4B

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion: