Windows Analysis Report
skyrunyyu655432.exe

Overview

General Information

Sample Name: skyrunyyu655432.exe
Analysis ID: 635291
MD5: 070a940ccbc84f85a8ba749eccf55618
SHA1: b6624708fa177d6a591c01ba291d40390bb6d8e7
SHA256: a734d235386d77a1c6a88bdf63efce5134a82a90e113be647200401b717b891e
Tags: exeFormbook
Infos:

Detection

FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

AV Detection
barindex
Found malware configuration
Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.boxberry-my.com/sn31/"], "decoy": ["matsuomatsuo.com", "104wn.com", "bolacorner.com", "dawonderer.com", "yourpamlano.xyz", "mtzmx.icu", "lepakzaparket.com", "barmagli.com", "danta.ltd", "marumaru240.com", "people-centeredhr.com", "test-brew-inc.com", "clairvoyantbusinesscoach.com", "aforeignexchangeblog.com", "erentekbilisim.com", "gangqinqu123.net", "defiguaranteebonds.com", "thegioigaubong97.site", "vaoiwin.info", "vcwholeness.com", "03c3twpfee5estjovfu2655.com", "mutantapeyachtclubtoken.store", "pixelkev.xyz", "corporacioncymaz.com", "iampro-found.com", "azureconsults.com", "bam-bong.com", "advanceresubeopene.biz", "tzjisheng.com", "krdz28.online", "ycw2009.com", "minioe.com", "dronelink.xyz", "autu.cfd", "sdwmkj.com", "uixray.xyz", "informacion-numero-24-h.site", "123dianyingyuan.com", "tj-assets.com", "usaservicedogregistratuon.com", "metagwnics.com", "pepeksquad2.host", "kc7.club", "yundtremark.com", "finance-employers.com", "euroglobalnews.info", "estudioenzetti.com", "rodosmail.xyz", "bm65.xyz", "bchmtn.net", "server4uuss.net", "maisonretraiteprivee.com", "atelierelzaaidar.com", "thegurlyboutique.com", "primobellaquartz.com", "jetskirentaldublin.com", "akmeetech.com", "withoutyoutube.com", "blackcreekwatershed.com", "89qp52.com", "e3488.com", "vote4menk.com", "tyma.club", "theceditpalooza.com"]}
Multi AV Scanner detection for submitted file
Source: skyrunyyu655432.exe Virustotal: Detection: 42% Perma Link
Source: skyrunyyu655432.exe ReversingLabs: Detection: 34%
Yara detected FormBook
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Antivirus detection for URL or domain
Source: www.boxberry-my.com/sn31/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe ReversingLabs: Detection: 36%
Antivirus or Machine Learning detection for unpacked file
Source: 2.2.jfotlqeoqb.exe.1660000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.jfotlqeoqb.exe.400000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.jfotlqeoqb.exe.400000.9.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.2.jfotlqeoqb.exe.400000.1.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Source: 3.0.jfotlqeoqb.exe.400000.5.unpack Avira: Label: TR/Crypt.ZPACK.Gen
Uses 32bit PE files
Source: skyrunyyu655432.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: ipconfig.pdb source: jfotlqeoqb.exe, 00000003.00000002.373051178.00000000019D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ipconfig.pdbGCTL source: jfotlqeoqb.exe, 00000003.00000002.373051178.00000000019D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: C:\drzmu\ggsdfz\yvaw\e1787da5c4714b909513c5a841b06b91\ftesxt\xwtvbdyl\Release\xwtvbdyl.pdb source: skyrunyyu655432.exe, 00000000.00000002.321823751.000000000040B000.00000004.00000001.01000000.00000003.sdmp, skyrunyyu655432.exe, 00000000.00000002.322060613.000000000275C000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000002.292672930.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, jfotlqeoqb.exe, 00000002.00000000.279753075.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, jfotlqeoqb.exe, 00000003.00000000.287892253.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, ipconfig.exe, 0000000D.00000002.547054865.00000000030DF000.00000004.10000000.00040000.00000000.sdmp, nspF162.tmp.0.dr, jfotlqeoqb.exe.0.dr
Source: Binary string: wntdll.pdbUGP source: jfotlqeoqb.exe, 00000002.00000003.291035467.000000001E160000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000003.290469489.000000001DFD0000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.293986604.0000000001865000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.292333571.00000000016D0000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373260356.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373075677.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546062335.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546473284.0000000002CCF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.372760279.0000000002877000.00000004.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.375023667.0000000002A13000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: jfotlqeoqb.exe, 00000002.00000003.291035467.000000001E160000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000003.290469489.000000001DFD0000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.293986604.0000000001865000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.292333571.00000000016D0000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373260356.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373075677.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 0000000D.00000002.546062335.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546473284.0000000002CCF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.372760279.0000000002877000.00000004.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.375023667.0000000002A13000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405426
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405D9C
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_004026A1 FindFirstFileA, 0_2_004026A1
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 4x nop then pop ebx 3_2_00407B1D
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 4x nop then pop edi 3_2_00417DA4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop ebx 13_2_024C7B1D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 4x nop then pop edi 13_2_024D7DA4

Networking
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.dawonderer.com
Source: C:\Windows\explorer.exe Network Connect: 66.235.200.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bolacorner.com
Source: C:\Windows\explorer.exe Network Connect: 52.71.57.184 80 Jump to behavior
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49755 -> 66.235.200.147:80
Source: Traffic Snort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49755 -> 66.235.200.147:80
Source: Traffic Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49755 -> 66.235.200.147:80
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.boxberry-my.com/sn31/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /sn31/?m6R01xM0=qZl/JLX84vnD5ytzVzk0/a0Hcpketn5qZPO1CaBkWF6tW2qs6ow5h/A/zRQwl5G72f7o&nPqD=gvLpMpxpWl HTTP/1.1Host: www.dawonderer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sn31/?m6R01xM0=f82GdrL9BOGPadRnOYEWsPSt+bOR3tUYa+dCVqOhmg/09rEzcw7t3bM5PuUufbFtM3zx&nPqD=gvLpMpxpWl HTTP/1.1Host: www.bolacorner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 52.71.57.184 52.71.57.184
Source: ipconfig.exe, 0000000D.00000002.547196966.00000000035CF000.00000004.10000000.00040000.00000000.sdmp String found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=bolacorner.com
Source: unknown DNS traffic detected: queries for: www.dawonderer.com
Source: global traffic HTTP traffic detected: GET /sn31/?m6R01xM0=qZl/JLX84vnD5ytzVzk0/a0Hcpketn5qZPO1CaBkWF6tW2qs6ow5h/A/zRQwl5G72f7o&nPqD=gvLpMpxpWl HTTP/1.1Host: www.dawonderer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic HTTP traffic detected: GET /sn31/?m6R01xM0=f82GdrL9BOGPadRnOYEWsPSt+bOR3tUYa+dCVqOhmg/09rEzcw7t3bM5PuUufbFtM3zx&nPqD=gvLpMpxpWl HTTP/1.1Host: www.bolacorner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Creates a DirectInput object (often for capturing keystrokes)
Source: jfotlqeoqb.exe, 00000002.00000002.293051588.000000000170A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_00404FDD

E-Banking Fraud
barindex
Yara detected FormBook
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: skyrunyyu655432.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess, 0_2_004032FA
Detected potential crypto function
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_004047EE 0_2_004047EE
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00406083 0_2_00406083
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F6880 2_2_001F6880
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F6880 2_2_001F6880
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F496E 2_2_001F496E
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F959D 2_2_001F959D
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F7364 2_2_001F7364
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F7364 2_2_001F7364
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F496E 2_2_001F496E
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F959D 2_2_001F959D
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001E38EC 2_2_001E38EC
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F85D1 2_2_001F85D1
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F6DF2 2_2_001F6DF2
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F85D1 2_2_001F85D1
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F7364 2_2_001F7364
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F496E 2_2_001F496E
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F6880 3_2_001F6880
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F6880 3_2_001F6880
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F496E 3_2_001F496E
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F959D 3_2_001F959D
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F7364 3_2_001F7364
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F7364 3_2_001F7364
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F496E 3_2_001F496E
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F959D 3_2_001F959D
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001E38EC 3_2_001E38EC
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F85D1 3_2_001F85D1
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F6DF2 3_2_001F6DF2
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F85D1 3_2_001F85D1
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F7364 3_2_001F7364
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F496E 3_2_001F496E
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041D805 3_2_0041D805
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00401030 3_2_00401030
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041DA33 3_2_0041DA33
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041EB32 3_2_0041EB32
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041C3EA 3_2_0041C3EA
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041ED64 3_2_0041ED64
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041DD0A 3_2_0041DD0A
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00402D87 3_2_00402D87
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00402D90 3_2_00402D90
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00409E5E 3_2_00409E5E
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00409E60 3_2_00409E60
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00402FB0 3_2_00402FB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA2EF7 13_2_02CA2EF7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA22AE 13_2_02CA22AE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF6E30 13_2_02BF6E30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9DBD2 13_2_02C9DBD2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA1FF1 13_2_02CA1FF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0EBB0 13_2_02C0EBB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA2B28 13_2_02CA2B28
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA28EC 13_2_02CA28EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BEB090 13_2_02BEB090
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C020A0 13_2_02C020A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA20A8 13_2_02CA20A8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE841F 13_2_02BE841F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9D466 13_2_02C9D466
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91002 13_2_02C91002
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA25DD 13_2_02CA25DD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C02581 13_2_02C02581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BED5E0 13_2_02BED5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD0D20 13_2_02BD0D20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF4120 13_2_02BF4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA1D55 13_2_02CA1D55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDF900 13_2_02BDF900
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA2D07 13_2_02CA2D07
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DDA33 13_2_024DDA33
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DEB32 13_2_024DEB32
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DC3EA 13_2_024DC3EA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DD805 13_2_024DD805
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024C9E5E 13_2_024C9E5E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024C9E60 13_2_024C9E60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024C2FB0 13_2_024C2FB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DED64 13_2_024DED64
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DDD0A 13_2_024DDD0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024C2D87 13_2_024C2D87
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024C2D90 13_2_024C2D90
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: String function: 02BDB150 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: String function: 001EEFF0 appears 42 times
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041A360 NtCreateFile, 3_2_0041A360
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041A410 NtReadFile, 3_2_0041A410
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041A490 NtClose, 3_2_0041A490
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041A540 NtAllocateVirtualMemory, 3_2_0041A540
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041A35A NtCreateFile, 3_2_0041A35A
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041A45A NtReadFile, 3_2_0041A45A
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041A492 NtClose, 3_2_0041A492
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041A53A NtAllocateVirtualMemory, 3_2_0041A53A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C196D0 NtCreateKey,LdrInitializeThunk, 13_2_02C196D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C196E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_02C196E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19A50 NtCreateFile,LdrInitializeThunk, 13_2_02C19A50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19FE0 NtCreateMutant,LdrInitializeThunk, 13_2_02C19FE0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19780 NtMapViewOfSection,LdrInitializeThunk, 13_2_02C19780
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19710 NtQueryInformationToken,LdrInitializeThunk, 13_2_02C19710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19840 NtDelayExecution,LdrInitializeThunk, 13_2_02C19840
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_02C19860
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C195D0 NtClose,LdrInitializeThunk, 13_2_02C195D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C199A0 NtCreateSection,LdrInitializeThunk, 13_2_02C199A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19540 NtReadFile,LdrInitializeThunk, 13_2_02C19540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_02C19910
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19A80 NtOpenDirectoryObject, 13_2_02C19A80
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19650 NtQueryValueKey, 13_2_02C19650
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19660 NtAllocateVirtualMemory, 13_2_02C19660
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19670 NtQueryInformationProcess, 13_2_02C19670
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19A00 NtProtectVirtualMemory, 13_2_02C19A00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19610 NtEnumerateValueKey, 13_2_02C19610
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19A10 NtQuerySection, 13_2_02C19A10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19A20 NtResumeThread, 13_2_02C19A20
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C197A0 NtUnmapViewOfSection, 13_2_02C197A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C1A3B0 NtGetContextThread, 13_2_02C1A3B0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19760 NtOpenProcess, 13_2_02C19760
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19770 NtSetInformationFile, 13_2_02C19770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C1A770 NtOpenThread, 13_2_02C1A770
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19B00 NtSetValueKey, 13_2_02C19B00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C1A710 NtOpenProcessToken, 13_2_02C1A710
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19730 NtQueryVirtualMemory, 13_2_02C19730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C198F0 NtReadVirtualMemory, 13_2_02C198F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C198A0 NtWriteVirtualMemory, 13_2_02C198A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C1B040 NtSuspendThread, 13_2_02C1B040
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19820 NtEnumerateKey, 13_2_02C19820
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C199D0 NtCreateProcessEx, 13_2_02C199D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C195F0 NtQueryInformationFile, 13_2_02C195F0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19950 NtQueueApcThread, 13_2_02C19950
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19560 NtWriteFile, 13_2_02C19560
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C19520 NtWaitForSingleObject, 13_2_02C19520
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C1AD30 NtSetContextThread, 13_2_02C1AD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DA360 NtCreateFile, 13_2_024DA360
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DA410 NtReadFile, 13_2_024DA410
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DA490 NtClose, 13_2_024DA490
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DA35A NtCreateFile, 13_2_024DA35A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DA45A NtReadFile, 13_2_024DA45A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DA492 NtClose, 13_2_024DA492
Source: skyrunyyu655432.exe Virustotal: Detection: 42%
Source: skyrunyyu655432.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\Desktop\skyrunyyu655432.exe File read: C:\Users\user\Desktop\skyrunyyu655432.exe Jump to behavior
Source: skyrunyyu655432.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\skyrunyyu655432.exe "C:\Users\user\Desktop\skyrunyyu655432.exe"
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Process created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Process created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Process created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Process created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe" Jump to behavior
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\skyrunyyu655432.exe File created: C:\Users\user\AppData\Local\Temp\nspF161.tmp Jump to behavior
Source: classification engine Classification label: mal100.troj.evad.winEXE@9/4@2/2
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00402078 CoCreateInstance,MultiByteToWideChar, 0_2_00402078
Source: C:\Users\user\Desktop\skyrunyyu655432.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_00404333
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:120:WilError_01
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: ipconfig.pdb source: jfotlqeoqb.exe, 00000003.00000002.373051178.00000000019D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: ipconfig.pdbGCTL source: jfotlqeoqb.exe, 00000003.00000002.373051178.00000000019D0000.00000040.10000000.00040000.00000000.sdmp
Source: Binary string: C:\drzmu\ggsdfz\yvaw\e1787da5c4714b909513c5a841b06b91\ftesxt\xwtvbdyl\Release\xwtvbdyl.pdb source: skyrunyyu655432.exe, 00000000.00000002.321823751.000000000040B000.00000004.00000001.01000000.00000003.sdmp, skyrunyyu655432.exe, 00000000.00000002.322060613.000000000275C000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000002.292672930.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, jfotlqeoqb.exe, 00000002.00000000.279753075.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, jfotlqeoqb.exe, 00000003.00000000.287892253.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, ipconfig.exe, 0000000D.00000002.547054865.00000000030DF000.00000004.10000000.00040000.00000000.sdmp, nspF162.tmp.0.dr, jfotlqeoqb.exe.0.dr
Source: Binary string: wntdll.pdbUGP source: jfotlqeoqb.exe, 00000002.00000003.291035467.000000001E160000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000003.290469489.000000001DFD0000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.293986604.0000000001865000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.292333571.00000000016D0000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373260356.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373075677.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546062335.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546473284.0000000002CCF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.372760279.0000000002877000.00000004.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.375023667.0000000002A13000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: jfotlqeoqb.exe, 00000002.00000003.291035467.000000001E160000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000003.290469489.000000001DFD0000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.293986604.0000000001865000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.292333571.00000000016D0000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373260356.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373075677.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 0000000D.00000002.546062335.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546473284.0000000002CCF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.372760279.0000000002877000.00000004.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.375023667.0000000002A13000.00000004.00000800.00020000.00000000.sdmp
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001EF035 push ecx; ret 2_2_001EF048
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001EF035 push ecx; ret 3_2_001EF048
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_004168D5 push ebp; ret 3_2_004168D8
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041E9A8 push dword ptr [25B3BB99h]; ret 3_2_0041E9CB
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00416CD3 push esi; ret 3_2_00416CDB
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00417CF5 pushfd ; iretd 3_2_00417CF6
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041D4B5 push eax; ret 3_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041D56C push eax; ret 3_2_0041D572
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041D502 push eax; ret 3_2_0041D508
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0041D50B push eax; ret 3_2_0041D572
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C2D0D1 push ecx; ret 13_2_02C2D0E4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024D68D5 push ebp; ret 13_2_024D68D8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DE9A8 push dword ptr [25B3BB99h]; ret 13_2_024DE9CB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024D6CD3 push esi; ret 13_2_024D6CDB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024D7CF5 pushfd ; iretd 13_2_024D7CF6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DD4B5 push eax; ret 13_2_024DD508
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DD56C push eax; ret 13_2_024DD572
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DD50B push eax; ret 13_2_024DD572
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_024DD502 push eax; ret 13_2_024DD508
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DDA

Persistence and Installation Behavior
barindex
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
Drops PE files
Source: C:\Users\user\Desktop\skyrunyyu655432.exe File created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE1
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe RDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 00000000024C9904 second address: 00000000024C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\ipconfig.exe RDTSC instruction interceptor: First address: 00000000024C9B7E second address: 00000000024C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6276 Thread sleep time: -36000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\ipconfig.exe Last function: Thread delayed
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00409AB0 rdtsc 3_2_00409AB0
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe API coverage: 5.2 %
Source: C:\Windows\SysWOW64\ipconfig.exe API coverage: 8.3 %
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA, 0_2_00405426
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose, 0_2_00405D9C
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_004026A1 FindFirstFileA, 0_2_004026A1
Source: C:\Users\user\Desktop\skyrunyyu655432.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe API call chain: ExitProcess graph end node
Source: explorer.exe, 00000006.00000000.317703747.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000006.00000000.326481142.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000006.00000000.326503153.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.353634268.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000006.00000000.410432696.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000006.00000000.328565988.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000006.00000000.353634268.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000006.00000000.353562896.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000006.00000000.317703747.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000006.00000000.353634268.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001EE891 _memset,IsDebuggerPresent, 2_2_001EE891
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F4395 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 2_2_001F4395
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\skyrunyyu655432.exe Code function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00405DDA
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F538A __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock, 2_2_001F538A
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_00409AB0 rdtsc 3_2_00409AB0
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_016503F8 mov eax, dword ptr fs:[00000030h] 2_2_016503F8
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_01650772 mov eax, dword ptr fs:[00000030h] 2_2_01650772
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_01650736 mov eax, dword ptr fs:[00000030h] 2_2_01650736
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_0165061D mov eax, dword ptr fs:[00000030h] 2_2_0165061D
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_016506F7 mov eax, dword ptr fs:[00000030h] 2_2_016506F7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C18EC7 mov eax, dword ptr fs:[00000030h] 13_2_02C18EC7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C8FEC0 mov eax, dword ptr fs:[00000030h] 13_2_02C8FEC0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C02ACB mov eax, dword ptr fs:[00000030h] 13_2_02C02ACB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C036CC mov eax, dword ptr fs:[00000030h] 13_2_02C036CC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BEAAB0 mov eax, dword ptr fs:[00000030h] 13_2_02BEAAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BEAAB0 mov eax, dword ptr fs:[00000030h] 13_2_02BEAAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h] 13_2_02BD52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h] 13_2_02BD52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h] 13_2_02BD52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h] 13_2_02BD52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h] 13_2_02BD52A5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA8ED6 mov eax, dword ptr fs:[00000030h] 13_2_02CA8ED6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C016E0 mov ecx, dword ptr fs:[00000030h] 13_2_02C016E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C02AE4 mov eax, dword ptr fs:[00000030h] 13_2_02C02AE4
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6FE87 mov eax, dword ptr fs:[00000030h] 13_2_02C6FE87
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0D294 mov eax, dword ptr fs:[00000030h] 13_2_02C0D294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0D294 mov eax, dword ptr fs:[00000030h] 13_2_02C0D294
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE76E2 mov eax, dword ptr fs:[00000030h] 13_2_02BE76E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C546A7 mov eax, dword ptr fs:[00000030h] 13_2_02C546A7
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA0EA5 mov eax, dword ptr fs:[00000030h] 13_2_02CA0EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA0EA5 mov eax, dword ptr fs:[00000030h] 13_2_02CA0EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA0EA5 mov eax, dword ptr fs:[00000030h] 13_2_02CA0EA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0FAB0 mov eax, dword ptr fs:[00000030h] 13_2_02C0FAB0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9AE44 mov eax, dword ptr fs:[00000030h] 13_2_02C9AE44
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9AE44 mov eax, dword ptr fs:[00000030h] 13_2_02C9AE44
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C64257 mov eax, dword ptr fs:[00000030h] 13_2_02C64257
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9EA55 mov eax, dword ptr fs:[00000030h] 13_2_02C9EA55
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDE620 mov eax, dword ptr fs:[00000030h] 13_2_02BDE620
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF3A1C mov eax, dword ptr fs:[00000030h] 13_2_02BF3A1C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C8B260 mov eax, dword ptr fs:[00000030h] 13_2_02C8B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C8B260 mov eax, dword ptr fs:[00000030h] 13_2_02C8B260
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA8A62 mov eax, dword ptr fs:[00000030h] 13_2_02CA8A62
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDAA16 mov eax, dword ptr fs:[00000030h] 13_2_02BDAA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDAA16 mov eax, dword ptr fs:[00000030h] 13_2_02BDAA16
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD5210 mov eax, dword ptr fs:[00000030h] 13_2_02BD5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD5210 mov ecx, dword ptr fs:[00000030h] 13_2_02BD5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD5210 mov eax, dword ptr fs:[00000030h] 13_2_02BD5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD5210 mov eax, dword ptr fs:[00000030h] 13_2_02BD5210
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE8A0A mov eax, dword ptr fs:[00000030h] 13_2_02BE8A0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C1927A mov eax, dword ptr fs:[00000030h] 13_2_02C1927A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDC600 mov eax, dword ptr fs:[00000030h] 13_2_02BDC600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDC600 mov eax, dword ptr fs:[00000030h] 13_2_02BDC600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDC600 mov eax, dword ptr fs:[00000030h] 13_2_02BDC600
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C08E00 mov eax, dword ptr fs:[00000030h] 13_2_02C08E00
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91608 mov eax, dword ptr fs:[00000030h] 13_2_02C91608
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h] 13_2_02BFAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h] 13_2_02BFAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h] 13_2_02BFAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h] 13_2_02BFAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h] 13_2_02BFAE73
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE766D mov eax, dword ptr fs:[00000030h] 13_2_02BE766D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0A61C mov eax, dword ptr fs:[00000030h] 13_2_02C0A61C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0A61C mov eax, dword ptr fs:[00000030h] 13_2_02C0A61C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C14A2C mov eax, dword ptr fs:[00000030h] 13_2_02C14A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C14A2C mov eax, dword ptr fs:[00000030h] 13_2_02C14A2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C8FE3F mov eax, dword ptr fs:[00000030h] 13_2_02C8FE3F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD9240 mov eax, dword ptr fs:[00000030h] 13_2_02BD9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD9240 mov eax, dword ptr fs:[00000030h] 13_2_02BD9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD9240 mov eax, dword ptr fs:[00000030h] 13_2_02BD9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD9240 mov eax, dword ptr fs:[00000030h] 13_2_02BD9240
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h] 13_2_02BE7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h] 13_2_02BE7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h] 13_2_02BE7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h] 13_2_02BE7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h] 13_2_02BE7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h] 13_2_02BE7E41
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C553CA mov eax, dword ptr fs:[00000030h] 13_2_02C553CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C553CA mov eax, dword ptr fs:[00000030h] 13_2_02C553CA
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h] 13_2_02C003E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h] 13_2_02C003E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h] 13_2_02C003E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h] 13_2_02C003E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h] 13_2_02C003E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h] 13_2_02C003E2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE8794 mov eax, dword ptr fs:[00000030h] 13_2_02BE8794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE1B8F mov eax, dword ptr fs:[00000030h] 13_2_02BE1B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE1B8F mov eax, dword ptr fs:[00000030h] 13_2_02BE1B8F
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C137F5 mov eax, dword ptr fs:[00000030h] 13_2_02C137F5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9138A mov eax, dword ptr fs:[00000030h] 13_2_02C9138A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C8D380 mov ecx, dword ptr fs:[00000030h] 13_2_02C8D380
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0B390 mov eax, dword ptr fs:[00000030h] 13_2_02C0B390
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C57794 mov eax, dword ptr fs:[00000030h] 13_2_02C57794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C57794 mov eax, dword ptr fs:[00000030h] 13_2_02C57794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C57794 mov eax, dword ptr fs:[00000030h] 13_2_02C57794
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFDBE9 mov eax, dword ptr fs:[00000030h] 13_2_02BFDBE9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C02397 mov eax, dword ptr fs:[00000030h] 13_2_02C02397
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C04BAD mov eax, dword ptr fs:[00000030h] 13_2_02C04BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C04BAD mov eax, dword ptr fs:[00000030h] 13_2_02C04BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C04BAD mov eax, dword ptr fs:[00000030h] 13_2_02C04BAD
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA5BA5 mov eax, dword ptr fs:[00000030h] 13_2_02CA5BA5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA8B58 mov eax, dword ptr fs:[00000030h] 13_2_02CA8B58
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD4F2E mov eax, dword ptr fs:[00000030h] 13_2_02BD4F2E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD4F2E mov eax, dword ptr fs:[00000030h] 13_2_02BD4F2E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA8F6A mov eax, dword ptr fs:[00000030h] 13_2_02CA8F6A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFF716 mov eax, dword ptr fs:[00000030h] 13_2_02BFF716
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C03B7A mov eax, dword ptr fs:[00000030h] 13_2_02C03B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C03B7A mov eax, dword ptr fs:[00000030h] 13_2_02C03B7A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA070D mov eax, dword ptr fs:[00000030h] 13_2_02CA070D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA070D mov eax, dword ptr fs:[00000030h] 13_2_02CA070D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0A70E mov eax, dword ptr fs:[00000030h] 13_2_02C0A70E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0A70E mov eax, dword ptr fs:[00000030h] 13_2_02C0A70E
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9131B mov eax, dword ptr fs:[00000030h] 13_2_02C9131B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6FF10 mov eax, dword ptr fs:[00000030h] 13_2_02C6FF10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6FF10 mov eax, dword ptr fs:[00000030h] 13_2_02C6FF10
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDDB60 mov ecx, dword ptr fs:[00000030h] 13_2_02BDDB60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BEFF60 mov eax, dword ptr fs:[00000030h] 13_2_02BEFF60
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDF358 mov eax, dword ptr fs:[00000030h] 13_2_02BDF358
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0E730 mov eax, dword ptr fs:[00000030h] 13_2_02C0E730
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDDB40 mov eax, dword ptr fs:[00000030h] 13_2_02BDDB40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BEEF40 mov eax, dword ptr fs:[00000030h] 13_2_02BEEF40
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h] 13_2_02C6B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6B8D0 mov ecx, dword ptr fs:[00000030h] 13_2_02C6B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h] 13_2_02C6B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h] 13_2_02C6B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h] 13_2_02C6B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h] 13_2_02C6B8D0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA8CD6 mov eax, dword ptr fs:[00000030h] 13_2_02CA8CD6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE849B mov eax, dword ptr fs:[00000030h] 13_2_02BE849B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C914FB mov eax, dword ptr fs:[00000030h] 13_2_02C914FB
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56CF0 mov eax, dword ptr fs:[00000030h] 13_2_02C56CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56CF0 mov eax, dword ptr fs:[00000030h] 13_2_02C56CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56CF0 mov eax, dword ptr fs:[00000030h] 13_2_02C56CF0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD9080 mov eax, dword ptr fs:[00000030h] 13_2_02BD9080
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C53884 mov eax, dword ptr fs:[00000030h] 13_2_02C53884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C53884 mov eax, dword ptr fs:[00000030h] 13_2_02C53884
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD58EC mov eax, dword ptr fs:[00000030h] 13_2_02BD58EC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h] 13_2_02C020A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h] 13_2_02C020A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h] 13_2_02C020A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h] 13_2_02C020A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h] 13_2_02C020A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h] 13_2_02C020A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C190AF mov eax, dword ptr fs:[00000030h] 13_2_02C190AF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0F0BF mov ecx, dword ptr fs:[00000030h] 13_2_02C0F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0F0BF mov eax, dword ptr fs:[00000030h] 13_2_02C0F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0F0BF mov eax, dword ptr fs:[00000030h] 13_2_02C0F0BF
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0A44B mov eax, dword ptr fs:[00000030h] 13_2_02C0A44B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BEB02A mov eax, dword ptr fs:[00000030h] 13_2_02BEB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BEB02A mov eax, dword ptr fs:[00000030h] 13_2_02BEB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BEB02A mov eax, dword ptr fs:[00000030h] 13_2_02BEB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BEB02A mov eax, dword ptr fs:[00000030h] 13_2_02BEB02A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6C450 mov eax, dword ptr fs:[00000030h] 13_2_02C6C450
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C6C450 mov eax, dword ptr fs:[00000030h] 13_2_02C6C450
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C92073 mov eax, dword ptr fs:[00000030h] 13_2_02C92073
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA1074 mov eax, dword ptr fs:[00000030h] 13_2_02CA1074
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA740D mov eax, dword ptr fs:[00000030h] 13_2_02CA740D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA740D mov eax, dword ptr fs:[00000030h] 13_2_02CA740D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA740D mov eax, dword ptr fs:[00000030h] 13_2_02CA740D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h] 13_2_02C91C06
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56C0A mov eax, dword ptr fs:[00000030h] 13_2_02C56C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56C0A mov eax, dword ptr fs:[00000030h] 13_2_02C56C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56C0A mov eax, dword ptr fs:[00000030h] 13_2_02C56C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56C0A mov eax, dword ptr fs:[00000030h] 13_2_02C56C0A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF746D mov eax, dword ptr fs:[00000030h] 13_2_02BF746D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C57016 mov eax, dword ptr fs:[00000030h] 13_2_02C57016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C57016 mov eax, dword ptr fs:[00000030h] 13_2_02C57016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C57016 mov eax, dword ptr fs:[00000030h] 13_2_02C57016
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA4015 mov eax, dword ptr fs:[00000030h] 13_2_02CA4015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA4015 mov eax, dword ptr fs:[00000030h] 13_2_02CA4015
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0BC2C mov eax, dword ptr fs:[00000030h] 13_2_02C0BC2C
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h] 13_2_02C0002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h] 13_2_02C0002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h] 13_2_02C0002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h] 13_2_02C0002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h] 13_2_02C0002D
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF0050 mov eax, dword ptr fs:[00000030h] 13_2_02BF0050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF0050 mov eax, dword ptr fs:[00000030h] 13_2_02BF0050
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h] 13_2_02C56DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h] 13_2_02C56DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h] 13_2_02C56DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56DC9 mov ecx, dword ptr fs:[00000030h] 13_2_02C56DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h] 13_2_02C56DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h] 13_2_02C56DC9
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9FDE2 mov eax, dword ptr fs:[00000030h] 13_2_02C9FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9FDE2 mov eax, dword ptr fs:[00000030h] 13_2_02C9FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9FDE2 mov eax, dword ptr fs:[00000030h] 13_2_02C9FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9FDE2 mov eax, dword ptr fs:[00000030h] 13_2_02C9FDE2
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C641E8 mov eax, dword ptr fs:[00000030h] 13_2_02C641E8
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h] 13_2_02BD2D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h] 13_2_02BD2D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h] 13_2_02BD2D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h] 13_2_02BD2D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h] 13_2_02BD2D8A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C88DF1 mov eax, dword ptr fs:[00000030h] 13_2_02C88DF1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFC182 mov eax, dword ptr fs:[00000030h] 13_2_02BFC182
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C02581 mov eax, dword ptr fs:[00000030h] 13_2_02C02581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C02581 mov eax, dword ptr fs:[00000030h] 13_2_02C02581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C02581 mov eax, dword ptr fs:[00000030h] 13_2_02C02581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C02581 mov eax, dword ptr fs:[00000030h] 13_2_02C02581
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0A185 mov eax, dword ptr fs:[00000030h] 13_2_02C0A185
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C02990 mov eax, dword ptr fs:[00000030h] 13_2_02C02990
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0FD9B mov eax, dword ptr fs:[00000030h] 13_2_02C0FD9B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0FD9B mov eax, dword ptr fs:[00000030h] 13_2_02C0FD9B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDB1E1 mov eax, dword ptr fs:[00000030h] 13_2_02BDB1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDB1E1 mov eax, dword ptr fs:[00000030h] 13_2_02BDB1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDB1E1 mov eax, dword ptr fs:[00000030h] 13_2_02BDB1E1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BED5E0 mov eax, dword ptr fs:[00000030h] 13_2_02BED5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BED5E0 mov eax, dword ptr fs:[00000030h] 13_2_02BED5E0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C061A0 mov eax, dword ptr fs:[00000030h] 13_2_02C061A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C061A0 mov eax, dword ptr fs:[00000030h] 13_2_02C061A0
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C035A1 mov eax, dword ptr fs:[00000030h] 13_2_02C035A1
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C569A6 mov eax, dword ptr fs:[00000030h] 13_2_02C569A6
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA05AC mov eax, dword ptr fs:[00000030h] 13_2_02CA05AC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA05AC mov eax, dword ptr fs:[00000030h] 13_2_02CA05AC
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C01DB5 mov eax, dword ptr fs:[00000030h] 13_2_02C01DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C01DB5 mov eax, dword ptr fs:[00000030h] 13_2_02C01DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C01DB5 mov eax, dword ptr fs:[00000030h] 13_2_02C01DB5
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C551BE mov eax, dword ptr fs:[00000030h] 13_2_02C551BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C551BE mov eax, dword ptr fs:[00000030h] 13_2_02C551BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C551BE mov eax, dword ptr fs:[00000030h] 13_2_02C551BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C551BE mov eax, dword ptr fs:[00000030h] 13_2_02C551BE
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C13D43 mov eax, dword ptr fs:[00000030h] 13_2_02C13D43
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C53540 mov eax, dword ptr fs:[00000030h] 13_2_02C53540
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h] 13_2_02BE3D34
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDAD30 mov eax, dword ptr fs:[00000030h] 13_2_02BDAD30
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF4120 mov eax, dword ptr fs:[00000030h] 13_2_02BF4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF4120 mov eax, dword ptr fs:[00000030h] 13_2_02BF4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF4120 mov eax, dword ptr fs:[00000030h] 13_2_02BF4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF4120 mov eax, dword ptr fs:[00000030h] 13_2_02BF4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF4120 mov ecx, dword ptr fs:[00000030h] 13_2_02BF4120
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD9100 mov eax, dword ptr fs:[00000030h] 13_2_02BD9100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD9100 mov eax, dword ptr fs:[00000030h] 13_2_02BD9100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BD9100 mov eax, dword ptr fs:[00000030h] 13_2_02BD9100
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFC577 mov eax, dword ptr fs:[00000030h] 13_2_02BFC577
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFC577 mov eax, dword ptr fs:[00000030h] 13_2_02BFC577
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDB171 mov eax, dword ptr fs:[00000030h] 13_2_02BDB171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDB171 mov eax, dword ptr fs:[00000030h] 13_2_02BDB171
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BDC962 mov eax, dword ptr fs:[00000030h] 13_2_02BDC962
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BF7D50 mov eax, dword ptr fs:[00000030h] 13_2_02BF7D50
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C9E539 mov eax, dword ptr fs:[00000030h] 13_2_02C9E539
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C5A537 mov eax, dword ptr fs:[00000030h] 13_2_02C5A537
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0513A mov eax, dword ptr fs:[00000030h] 13_2_02C0513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C0513A mov eax, dword ptr fs:[00000030h] 13_2_02C0513A
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFB944 mov eax, dword ptr fs:[00000030h] 13_2_02BFB944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02BFB944 mov eax, dword ptr fs:[00000030h] 13_2_02BFB944
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C04D3B mov eax, dword ptr fs:[00000030h] 13_2_02C04D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C04D3B mov eax, dword ptr fs:[00000030h] 13_2_02C04D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02C04D3B mov eax, dword ptr fs:[00000030h] 13_2_02C04D3B
Source: C:\Windows\SysWOW64\ipconfig.exe Code function: 13_2_02CA8D34 mov eax, dword ptr fs:[00000030h] 13_2_02CA8D34
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_0040ACF0 LdrLoadDll, 3_2_0040ACF0
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F14BB SetUnhandledExceptionFilter, 2_2_001F14BB
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F14EC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_001F14EC
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F14BB SetUnhandledExceptionFilter, 3_2_001F14BB
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 3_2_001F14EC SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_001F14EC

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.dawonderer.com
Source: C:\Windows\explorer.exe Network Connect: 66.235.200.147 80 Jump to behavior
Source: C:\Windows\explorer.exe Domain query: www.bolacorner.com
Source: C:\Windows\explorer.exe Network Connect: 52.71.57.184 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Section unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 160000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Section loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Memory written: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe base: 400000 value starts with: 4D5A Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Thread register set: target process: 3968 Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Thread register set: target process: 3968 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Process created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss Jump to behavior
Source: C:\Windows\SysWOW64\ipconfig.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe" Jump to behavior
Source: explorer.exe, 00000006.00000000.297613941.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.405442294.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.341373691.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000006.00000000.333653859.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.298182545.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.350435148.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000006.00000000.298182545.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.341667901.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.405844896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000006.00000000.298182545.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.341667901.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.405844896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000006.00000000.405534885.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.297624532.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.341397222.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000006.00000000.298182545.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.341667901.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.405844896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001EFE73 cpuid 2_2_001EFE73
Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe Code function: 2_2_001F0FE8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 2_2_001F0FE8

Stealing of Sensitive Information
barindex
Yara detected FormBook
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

Remote Access Functionality
barindex
Yara detected FormBook
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 635291 Sample: skyrunyyu655432.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 5 other signatures 2->53 11 skyrunyyu655432.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\...\jfotlqeoqb.exe, PE32 11->31 dropped 14 jfotlqeoqb.exe 11->14         started        process5 signatures6 65 Multi AV Scanner detection for dropped file 14->65 67 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->67 69 Tries to detect virtualization through RDTSC time measurements 14->69 71 Injects a PE file into a foreign processes 14->71 17 jfotlqeoqb.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 dawonderer.com 66.235.200.147, 49755, 80 CLOUDFLARENETUS United States 20->33 35 www.dawonderer.com 20->35 37 3 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Uses ipconfig to lookup or modify the Windows network settings 20->57 24 ipconfig.exe 20->24         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
52.71.57.184
 hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false
66.235.200.147
 dawonderer.com United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com 52.71.57.184 true
dawonderer.com 66.235.200.147 true
www.dawonderer.com unknown unknown
www.bolacorner.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
www.boxberry-my.com/sn31/ true
  • Avira URL Cloud: malware
 low