Loading ...

Play interactive tourEdit tour

Windows Analysis Report J2roaMGDmh.exe

Overview

General Information

Sample Name:J2roaMGDmh.exe
Analysis ID:501930
MD5:7b57c26a8208756f37e8df8331f94610
SHA1:bfb4a9e25f36ade44b084706da30c3f305d65609
SHA256:0cf11de8a0ce67a46203ae419f2aa7bb988ae3088dc4f33158dccc55b97e4a7d
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • J2roaMGDmh.exe (PID: 5268 cmdline: 'C:\Users\user\Desktop\J2roaMGDmh.exe' MD5: 7B57C26A8208756F37E8DF8331F94610)
    • J2roaMGDmh.exe (PID: 5736 cmdline: C:\Users\user\Desktop\J2roaMGDmh.exe MD5: 7B57C26A8208756F37E8DF8331F94610)
      • explorer.exe (PID: 3440 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 5256 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 576 cmdline: /c del 'C:\Users\user\Desktop\J2roaMGDmh.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.yourmajordomo.com/kzk9/"], "decoy": ["tianconghuo.club", "1996-page.com", "ourtownmax.net", "conservativetreehose.com", "synth.repair", "donnachicacreperia.com", "tentfull.com", "weapp.download", "surfersink.com", "gattlebusinessservices.com", "sebastian249.com", "anhphuc.company", "betternatureproducts.net", "defroplate.com", "seattlesquidsquad.com", "polarjob.com", "lendingadvantage.com", "angelsondope.com", "goportjitney.com", "tiendagrupojagr.com", "self-care360.com", "foreignexchage.com", "loan-stalemate.info", "hrsimrnsingh.com", "laserobsession.com", "primetimesmagazine.com", "teminyulon.xyz", "kanoondarab.com", "alpinefall.com", "tbmautosales.com", "4g2020.com", "libertyquartermaster.com", "flavorfalafel.com", "generlitravel.com", "solvedfp.icu", "jamnvibez.com", "zmx258.com", "doudiangroup.com", "dancecenterwest.com", "ryantheeconomist.com", "beeofthehive.com", "bluelearn.world", "vivalasplantas.com", "yumiacraftlab.com", "shophere247365.com", "enjoybespokenwords.com", "windajol.com", "ctgbazar.xyz", "afcerd.com", "dateprotect.com", "northeastonmusic.com", "fourwaira.com", "forschungsraumtheater.com", "islameraloke.com", "mavericksone.com", "whguideinfrared.com", "akomandr.com", "experts-portail.com", "ambassadorworldnews.com", "case-kangaroo.com", "theglobalbusinessmentor.com", "igforoldpeople.com", "royalglossesbss.com", "merxeduct.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.372836709.0000000002DF8000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18409:$sqlite3step: 68 34 1C 7B E1
      • 0x1851c:$sqlite3step: 68 34 1C 7B E1
      • 0x18438:$sqlite3text: 68 38 2A 90 C5
      • 0x1855d:$sqlite3text: 68 38 2A 90 C5
      • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
      00000004.00000002.440502637.0000000000EC0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 25 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        4.2.J2roaMGDmh.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.J2roaMGDmh.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          4.2.J2roaMGDmh.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17609:$sqlite3step: 68 34 1C 7B E1
          • 0x1771c:$sqlite3step: 68 34 1C 7B E1
          • 0x17638:$sqlite3text: 68 38 2A 90 C5
          • 0x1775d:$sqlite3text: 68 38 2A 90 C5
          • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
          0.2.J2roaMGDmh.exe.2d72f00.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            4.2.J2roaMGDmh.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              Click to see the 2 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.yourmajordomo.com/kzk9/"], "decoy": ["tianconghuo.club", "1996-page.com", "ourtownmax.net", "conservativetreehose.com", "synth.repair", "donnachicacreperia.com", "tentfull.com", "weapp.download", "surfersink.com", "gattlebusinessservices.com", "sebastian249.com", "anhphuc.company", "betternatureproducts.net", "defroplate.com", "seattlesquidsquad.com", "polarjob.com", "lendingadvantage.com", "angelsondope.com", "goportjitney.com", "tiendagrupojagr.com", "self-care360.com", "foreignexchage.com", "loan-stalemate.info", "hrsimrnsingh.com", "laserobsession.com", "primetimesmagazine.com", "teminyulon.xyz", "kanoondarab.com", "alpinefall.com", "tbmautosales.com", "4g2020.com", "libertyquartermaster.com", "flavorfalafel.com", "generlitravel.com", "solvedfp.icu", "jamnvibez.com", "zmx258.com", "doudiangroup.com", "dancecenterwest.com", "ryantheeconomist.com", "beeofthehive.com", "bluelearn.world", "vivalasplantas.com", "yumiacraftlab.com", "shophere247365.com", "enjoybespokenwords.com", "windajol.com", "ctgbazar.xyz", "afcerd.com", "dateprotect.com", "northeastonmusic.com", "fourwaira.com", "forschungsraumtheater.com", "islameraloke.com", "mavericksone.com", "whguideinfrared.com", "akomandr.com", "experts-portail.com", "ambassadorworldnews.com", "case-kangaroo.com", "theglobalbusinessmentor.com", "igforoldpeople.com", "royalglossesbss.com", "merxeduct.com"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: J2roaMGDmh.exeVirustotal: Detection: 27%Perma Link
              Source: J2roaMGDmh.exeReversingLabs: Detection: 28%
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 4.2.J2roaMGDmh.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.J2roaMGDmh.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.440502637.0000000000EC0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.440050317.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.615817929.0000000005000000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.611942980.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.426534249.000000000DDF2000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.615851460.0000000005030000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.406720779.000000000DDF2000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.373810317.0000000003E19000.00000004.00000001.sdmp, type: MEMORY
              Source: 4.2.J2roaMGDmh.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: J2roaMGDmh.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: J2roaMGDmh.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: wntdll.pdbUGP source: J2roaMGDmh.exe, 00000004.00000002.440755237.00000000010AF000.00000040.00000001.sdmp, mstsc.exe, 0000000B.00000002.616193947.00000000053BF000.00000040.00000001.sdmp
              Source: Binary string: wntdll.pdb source: J2roaMGDmh.exe, 00000004.00000002.440755237.00000000010AF000.00000040.00000001.sdmp, mstsc.exe
              Source: Binary string: mstsc.pdbGCTL source: J2roaMGDmh.exe, 00000004.00000002.441354565.0000000002EE0000.00000040.00020000.sdmp
              Source: Binary string: mstsc.pdb source: J2roaMGDmh.exe, 00000004.00000002.441354565.0000000002EE0000.00000040.00020000.sdmp
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4x nop then pop esi4_2_004171FA
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 4x nop then pop esi11_2_00D471FA

              Networking:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\explorer.exeNetwork Connect: 107.6.155.186 80Jump to behavior
              Source: C:\Windows\explorer.exeDomain query: www.hrsimrnsingh.com
              Source: C:\Windows\explorer.exeDomain query: www.betternatureproducts.net
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: www.yourmajordomo.com/kzk9/
              Source: Joe Sandbox ViewASN Name: SINGLEHOP-LLCUS SINGLEHOP-LLCUS
              Source: global trafficHTTP traffic detected: GET /kzk9/?8pTT4=+i/LTLduU7fAUP8tQ9h+hSfKlVxkGBINCOTckEU5PkFcE/IERtx60gnduHY8vjDTXE+nkDhsdw==&g2M=x6Pt5twhlZQ0qj3 HTTP/1.1Host: www.hrsimrnsingh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: http://business.google.com/
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: http://business.google.com/website/akom-and-r/kzk9/
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: http://business.google.com/website/akom-and-r/kzk9/"
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: explorer.exe, 00000005.00000000.412192103.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: J2roaMGDmh.exe, 00000000.00000002.372623647.0000000002D51000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
              Source: J2roaMGDmh.exe, 00000000.00000002.372283378.00000000013B7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: J2roaMGDmh.exe, 00000000.00000002.372283378.00000000013B7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
              Source: J2roaMGDmh.exe, 00000000.00000002.372283378.00000000013B7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.come.comq
              Source: J2roaMGDmh.exe, 00000000.00000002.372283378.00000000013B7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comgrita
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: J2roaMGDmh.exe, 00000000.00000002.377729214.0000000006E72000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: https://ads.google.com/localservices
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: https://akomandr.com
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: https://business.google.com
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: https://csp.withgoogle.com/csp/report-to/GeoMerchantPrestoSiteUi/external
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: https://lh5.googleusercontent.com/Ou_7C5kj2o17FxX4QrEWJq3EkmuvKyMvixe9QydulDReRDAzyGM6-CLucjMFkh1LIz
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: https://schema.org/LocalBusiness
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: https://workspace.google.com
              Source: mstsc.exe, 0000000B.00000002.616621785.0000000005CBF000.00000004.00020000.sdmpString found in binary or memory: https://www.gstatic.com/_/mss/boq-geo/_/js/k=boq-geo.GeoMerchantPrestoSiteUi.en_US.6fdqQtYfYR8.es5.O
              Source: unknownDNS traffic detected: queries for: www.betternatureproducts.net
              Source: global trafficHTTP traffic detected: GET /kzk9/?8pTT4=+i/LTLduU7fAUP8tQ9h+hSfKlVxkGBINCOTckEU5PkFcE/IERtx60gnduHY8vjDTXE+nkDhsdw==&g2M=x6Pt5twhlZQ0qj3 HTTP/1.1Host: www.hrsimrnsingh.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

              E-Banking Fraud:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 4.2.J2roaMGDmh.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.J2roaMGDmh.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.440502637.0000000000EC0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.440050317.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.615817929.0000000005000000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.611942980.0000000000D30000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.426534249.000000000DDF2000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000B.00000002.615851460.0000000005030000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000000.406720779.000000000DDF2000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.373810317.0000000003E19000.00000004.00000001.sdmp, type: MEMORY

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 4.2.J2roaMGDmh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 4.2.J2roaMGDmh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 4.2.J2roaMGDmh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 4.2.J2roaMGDmh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.440502637.0000000000EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.440502637.0000000000EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000004.00000002.440050317.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000004.00000002.440050317.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.615817929.0000000005000000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000B.00000002.615817929.0000000005000000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.611942980.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000B.00000002.611942980.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000000.426534249.000000000DDF2000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000005.00000000.426534249.000000000DDF2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000B.00000002.615851460.0000000005030000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000B.00000002.615851460.0000000005030000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000005.00000000.406720779.000000000DDF2000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000005.00000000.406720779.000000000DDF2000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.373810317.0000000003E19000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.373810317.0000000003E19000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: J2roaMGDmh.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 4.2.J2roaMGDmh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 4.2.J2roaMGDmh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 4.2.J2roaMGDmh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 4.2.J2roaMGDmh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.440468622.0000000000E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.440502637.0000000000EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.440502637.0000000000EC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000004.00000002.440050317.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000004.00000002.440050317.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.615817929.0000000005000000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000B.00000002.615817929.0000000005000000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.611942980.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000B.00000002.611942980.0000000000D30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000000.426534249.000000000DDF2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000005.00000000.426534249.000000000DDF2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000B.00000002.615851460.0000000005030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000B.00000002.615851460.0000000005030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000005.00000000.406720779.000000000DDF2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000005.00000000.406720779.000000000DDF2000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.373810317.0000000003E19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.373810317.0000000003E19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_008856960_2_00885696
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_008853D50_2_008853D5
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_02BAE6B80_2_02BAE6B8
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_02BAE6B20_2_02BAE6B2
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_02BABD040_2_02BABD04
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_07C400400_2_07C40040
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_07C400060_2_07C40006
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_008832510_2_00883251
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_004010304_2_00401030
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041D1FE4_2_0041D1FE
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00402D884_2_00402D88
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00402D904_2_00402D90
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00409E404_2_00409E40
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00409E3B4_2_00409E3B
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041D6E54_2_0041D6E5
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041E77F4_2_0041E77F
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041CFA34_2_0041CFA3
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00402FB04_2_00402FB0
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_005832514_2_00583251
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052C0D2011_2_052C0D20
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052E412011_2_052E4120
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052CF90011_2_052CF900
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05391D5511_2_05391D55
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052F258111_2_052F2581
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052DD5E011_2_052DD5E0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052D841F11_2_052D841F
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_0538100211_2_05381002
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052F20A011_2_052F20A0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053920A811_2_053920A8
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052DB09011_2_052DB090
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052FEBB011_2_052FEBB0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_052E6E3011_2_052E6E30
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05392EF711_2_05392EF7
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D32D9011_2_00D32D90
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D32D8811_2_00D32D88
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D4D6E511_2_00D4D6E5
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D39E4011_2_00D39E40
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D39E3B11_2_00D39E3B
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D32FB011_2_00D32FB0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D4CFA311_2_00D4CFA3
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D4E77F11_2_00D4E77F
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 052CB150 appears 35 times
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00419D60 NtCreateFile,4_2_00419D60
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00419E10 NtReadFile,4_2_00419E10
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00419E90 NtClose,4_2_00419E90
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00419F40 NtAllocateVirtualMemory,4_2_00419F40
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00419D5A NtCreateFile,4_2_00419D5A
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00419E0A NtReadFile,4_2_00419E0A
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00419F3C NtAllocateVirtualMemory,4_2_00419F3C
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_05309910
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309540 NtReadFile,LdrInitializeThunk,11_2_05309540
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053099A0 NtCreateSection,LdrInitializeThunk,11_2_053099A0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053095D0 NtClose,LdrInitializeThunk,11_2_053095D0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309860 NtQuerySystemInformation,LdrInitializeThunk,11_2_05309860
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309840 NtDelayExecution,LdrInitializeThunk,11_2_05309840
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309710 NtQueryInformationToken,LdrInitializeThunk,11_2_05309710
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309780 NtMapViewOfSection,LdrInitializeThunk,11_2_05309780
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309FE0 NtCreateMutant,LdrInitializeThunk,11_2_05309FE0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_05309660
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309650 NtQueryValueKey,LdrInitializeThunk,11_2_05309650
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309A50 NtCreateFile,LdrInitializeThunk,11_2_05309A50
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053096E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_053096E0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053096D0 NtCreateKey,LdrInitializeThunk,11_2_053096D0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_0530AD30 NtSetContextThread,11_2_0530AD30
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309520 NtWaitForSingleObject,11_2_05309520
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309560 NtWriteFile,11_2_05309560
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309950 NtQueueApcThread,11_2_05309950
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053095F0 NtQueryInformationFile,11_2_053095F0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053099D0 NtCreateProcessEx,11_2_053099D0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309820 NtEnumerateKey,11_2_05309820
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_0530B040 NtSuspendThread,11_2_0530B040
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053098A0 NtWriteVirtualMemory,11_2_053098A0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053098F0 NtReadVirtualMemory,11_2_053098F0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309730 NtQueryVirtualMemory,11_2_05309730
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_0530A710 NtOpenProcessToken,11_2_0530A710
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309B00 NtSetValueKey,11_2_05309B00
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309770 NtSetInformationFile,11_2_05309770
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_0530A770 NtOpenThread,11_2_0530A770
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309760 NtOpenProcess,11_2_05309760
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_0530A3B0 NtGetContextThread,11_2_0530A3B0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_053097A0 NtUnmapViewOfSection,11_2_053097A0
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309A20 NtResumeThread,11_2_05309A20
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309610 NtEnumerateValueKey,11_2_05309610
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309A10 NtQuerySection,11_2_05309A10
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309A00 NtProtectVirtualMemory,11_2_05309A00
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309670 NtQueryInformationProcess,11_2_05309670
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_05309A80 NtOpenDirectoryObject,11_2_05309A80
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D49D60 NtCreateFile,11_2_00D49D60
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D49E90 NtClose,11_2_00D49E90
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D49E10 NtReadFile,11_2_00D49E10
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D49F40 NtAllocateVirtualMemory,11_2_00D49F40
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D49D5A NtCreateFile,11_2_00D49D5A
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D49E0A NtReadFile,11_2_00D49E0A
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D49F3C NtAllocateVirtualMemory,11_2_00D49F3C
              Source: J2roaMGDmh.exe, 00000000.00000002.378399870.0000000007AD0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs J2roaMGDmh.exe
              Source: J2roaMGDmh.exe, 00000000.00000002.371180845.000000000091A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMemberPrimitiveUnTyp.exeD vs J2roaMGDmh.exe
              Source: J2roaMGDmh.exe, 00000004.00000002.440986280.000000000123F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs J2roaMGDmh.exe
              Source: J2roaMGDmh.exe, 00000004.00000000.369623844.000000000061A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameMemberPrimitiveUnTyp.exeD vs J2roaMGDmh.exe
              Source: J2roaMGDmh.exe, 00000004.00000002.442310059.0000000003003000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs J2roaMGDmh.exe
              Source: J2roaMGDmh.exeBinary or memory string: OriginalFilenameMemberPrimitiveUnTyp.exeD vs J2roaMGDmh.exe
              Source: J2roaMGDmh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: J2roaMGDmh.exeVirustotal: Detection: 27%
              Source: J2roaMGDmh.exeReversingLabs: Detection: 28%
              Source: J2roaMGDmh.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\J2roaMGDmh.exe 'C:\Users\user\Desktop\J2roaMGDmh.exe'
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess created: C:\Users\user\Desktop\J2roaMGDmh.exe C:\Users\user\Desktop\J2roaMGDmh.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
              Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\J2roaMGDmh.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess created: C:\Users\user\Desktop\J2roaMGDmh.exe C:\Users\user\Desktop\J2roaMGDmh.exeJump to behavior
              Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\J2roaMGDmh.exe'Jump to behavior
              Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\J2roaMGDmh.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@3/1
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeMutant created: \Sessions\1\BaseNamedObjects\reblGreen Software DimWin Brightness
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeMutant created: \Sessions\1\BaseNamedObjects\WWNEDthRUpncdjPXspTm
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_01
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: J2roaMGDmh.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: J2roaMGDmh.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: wntdll.pdbUGP source: J2roaMGDmh.exe, 00000004.00000002.440755237.00000000010AF000.00000040.00000001.sdmp, mstsc.exe, 0000000B.00000002.616193947.00000000053BF000.00000040.00000001.sdmp
              Source: Binary string: wntdll.pdb source: J2roaMGDmh.exe, 00000004.00000002.440755237.00000000010AF000.00000040.00000001.sdmp, mstsc.exe
              Source: Binary string: mstsc.pdbGCTL source: J2roaMGDmh.exe, 00000004.00000002.441354565.0000000002EE0000.00000040.00020000.sdmp
              Source: Binary string: mstsc.pdb source: J2roaMGDmh.exe, 00000004.00000002.441354565.0000000002EE0000.00000040.00020000.sdmp

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: J2roaMGDmh.exe, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 0.0.J2roaMGDmh.exe.880000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 0.2.J2roaMGDmh.exe.880000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 4.0.J2roaMGDmh.exe.580000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 4.2.J2roaMGDmh.exe.580000.1.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_02BAAB49 push edi; ret 0_2_02BAAAF3
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 0_2_07C45222 push esp; retf 0_2_07C45228
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041E3EE push eax; ret 4_2_0041E3F9
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_00416BFB push es; iretd 4_2_00416C01
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041E456 push AA67898Ah; ret 4_2_0041E479
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_004175E0 push ss; retf 4_2_004175E1
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041CEB5 push eax; ret 4_2_0041CF08
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041CF6C push eax; ret 4_2_0041CF72
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041CF02 push eax; ret 4_2_0041CF08
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeCode function: 4_2_0041CF0B push eax; ret 4_2_0041CF72
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_0531D0D1 push ecx; ret 11_2_0531D0E4
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D46BFB push es; iretd 11_2_00D46C01
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D4E3EE push eax; ret 11_2_00D4E3F9
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D4E456 push AA67898Ah; ret 11_2_00D4E479
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D475E0 push ss; retf 11_2_00D475E1
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D4CEB5 push eax; ret 11_2_00D4CF08
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D4CF6C push eax; ret 11_2_00D4CF72
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D4CF02 push eax; ret 11_2_00D4CF08
              Source: C:\Windows\SysWOW64\mstsc.exeCode function: 11_2_00D4CF0B push eax; ret 11_2_00D4CF72
              Source: initial sampleStatic PE information: section name: .text entropy: 7.63199837385

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Modifies the prolog of user mode functions (user mode inline hooks)Show sources
              Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8C 0xCE 0xED
              Self deletion via cmd deleteShow sources
              Source: C:\Windows\SysWOW64\mstsc.exeProcess created: /c del 'C:\Users\user\Desktop\J2roaMGDmh.exe'
              Source: C:\Windows\SysWOW64\mstsc.exeProcess created: /c del 'C:\Users\user\Desktop\J2roaMGDmh.exe'Jump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\J2roaMGDmh.exeProcess information set: NOOPENFILEERRORBOX