Loading ...

Play interactive tourEdit tour

Analysis Report PO2091185.exe

Overview

General Information

Sample Name:PO2091185.exe
Analysis ID:284329
MD5:4e23c3068ea7c9047be5616b20b3eed6
SHA1:ee011a309dbcb24a53439a0c1ca845d20e5ba1b9
SHA256:06859856004ea11da1cec9e5c43126db08b797ac703d67b30608449b14fbd079

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to simulate mouse events
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO2091185.exe (PID: 3988 cmdline: 'C:\Users\user\Desktop\PO2091185.exe' MD5: 4E23C3068EA7C9047BE5616B20B3EED6)
    • conhost.exe (PID: 4892 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO2091185.exe (PID: 4144 cmdline: 'C:\Users\user\Desktop\PO2091185.exe' MD5: 4E23C3068EA7C9047BE5616B20B3EED6)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 6728 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 412 cmdline: /c del 'C:\Users\user\Desktop\PO2091185.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 7n0dv0h.exe (PID: 6392 cmdline: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe MD5: 4E23C3068EA7C9047BE5616B20B3EED6)
          • conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 7n0dv0h.exe (PID: 5844 cmdline: 'C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe' MD5: 4E23C3068EA7C9047BE5616B20B3EED6)
          • conhost.exe (PID: 408 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 7n0dv0h.exe (PID: 6600 cmdline: 'C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe' MD5: 4E23C3068EA7C9047BE5616B20B3EED6)
          • conhost.exe (PID: 6232 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.621352504.00000000010F0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.621352504.00000000010F0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.621352504.00000000010F0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.384843456.0000000000690000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.384843456.0000000000690000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.PO2091185.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.PO2091185.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.PO2091185.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18349:$sqlite3step: 68 34 1C 7B E1
        • 0x1845c:$sqlite3step: 68 34 1C 7B E1
        • 0x18378:$sqlite3text: 68 38 2A 90 C5
        • 0x1849d:$sqlite3text: 68 38 2A 90 C5
        • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
        3.2.PO2091185.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.PO2091185.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Lopxt1nnx\7n0dv0h.exeVirustotal: Detection: 26%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Lopxt1nnx\7n0dv0h.exeMetadefender: Detection: 13%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Lopxt1nnx\7n0dv0h.exeReversingLabs: Detection: 25%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO2091185.exeMetadefender: Detection: 13%Perma Link
          Source: PO2091185.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.621352504.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.384843456.0000000000690000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.621333766.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.419208489.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.621083500.0000000000C00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.418327721.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.639165272.0000000000E80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.419280670.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.639420792.0000000001250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.PO2091185.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO2091185.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.7n0dv0h.exe.1250000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.7n0dv0h.exe.e80000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.7n0dv0h.exe.1250000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO2091185.exe.690000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO2091185.exe.690000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.7n0dv0h.exe.e80000.1.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Lopxt1nnx\7n0dv0h.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: PO2091185.exeJoe Sandbox ML: detected
          Source: 3.2.PO2091185.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 26.2.7n0dv0h.exe.1250000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.PO2091185.exe.690000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 28.2.7n0dv0h.exe.e80000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 4x nop then pop edi3_2_00416C44
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 4x nop then pop edi3_2_00417CB6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi9_2_00C17CB6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4x nop then pop edi9_2_00C16C51

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49757
          Source: global trafficHTTP traffic detected: GET /flc/?Ezu=EGk914LYzLFBWzpbY1jhhOrl9i6WStcylm4Py+s6w9zbtVTIPJBvzygYRfAPQmEANCpf&Rxo=M6ADLLspq8WH HTTP/1.1Host: www.peaceofminderbinder.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /flc/?Ezu=EGk914LYzLFBWzpbY1jhhOrl9i6WStcylm4Py+s6w9zbtVTIPJBvzygYRfAPQmEANCpf&Rxo=M6ADLLspq8WH HTTP/1.1Host: www.peaceofminderbinder.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.nogodbeforeme.net
          Source: explorer.exe, 00000004.00000000.403195048.0000000007E2E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000002.640008963.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.402302269.0000000007C99000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: wscript.exe, 00000009.00000002.700428436.00000000054C9000.00000004.00000001.sdmpString found in binary or memory: http://www.increla.com
          Source: wscript.exe, 00000009.00000002.700428436.00000000054C9000.00000004.00000001.sdmpString found in binary or memory: http://www.increla.com/flc/
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.405359924.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wscript.exe, 00000009.00000002.621319519.0000000000EF1000.00000004.00000001.sdmp, wscript.exe, 00000009.00000003.565157040.0000000000EF1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: wscript.exe, 00000009.00000003.566021490.0000000000EE0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: wscript.exe, 00000009.00000003.565126574.0000000000EE0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld28
          Source: wscript.exe, 00000009.00000002.621319519.0000000000EF1000.00000004.00000001.sdmp, wscript.exe, 00000009.00000002.621281340.0000000000EC8000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: wscript.exe, 00000009.00000003.565157040.0000000000EF1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
          Source: wscript.exe, 00000009.00000003.565126574.0000000000EE0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken
          Source: wscript.exe, 00000009.00000002.621055315.00000000009C8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt
          Source: wscript.exe, 00000009.00000002.621319519.0000000000EF1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
          Source: wscript.exe, 00000009.00000002.621319519.0000000000EF1000.00000004.00000001.sdmp, wscript.exe, 00000009.00000003.565157040.0000000000EF1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: wscript.exe, 00000009.00000002.621319519.0000000000EF1000.00000004.00000001.sdmp, wscript.exe, 00000009.00000003.566036305.0000000000EF1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: wscript.exe, 00000009.00000002.702977410.000000000583F000.00000004.00000001.sdmpString found in binary or memory: https://www.increla.com/flc/?Ezu=4b

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000009.00000002.621352504.00000000010F0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.384843456.0000000000690000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.621333766.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.419208489.0000000000A20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.621083500.0000000000C00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.418327721.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.639165272.0000000000E80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.419280670.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.639420792.0000000001250000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.PO2091185.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.PO2091185.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.7n0dv0h.exe.1250000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.7n0dv0h.exe.e80000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 26.2.7n0dv0h.exe.1250000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO2091185.exe.690000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO2091185.exe.690000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 28.2.7n0dv0h.exe.e80000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\L6827ST2\L68logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\L6827ST2\L68logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000009.00000002.621352504.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.621352504.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.384843456.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.384843456.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.621333766.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.621333766.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.419208489.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.419208489.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.621083500.0000000000C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.621083500.0000000000C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.418327721.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.418327721.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001C.00000002.639165272.0000000000E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.639165272.0000000000E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.419280670.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.419280670.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.639420792.0000000001250000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.639420792.0000000001250000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.PO2091185.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.PO2091185.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.PO2091185.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.PO2091185.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.2.7n0dv0h.exe.1250000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.2.7n0dv0h.exe.1250000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 28.2.7n0dv0h.exe.e80000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 28.2.7n0dv0h.exe.e80000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 26.2.7n0dv0h.exe.1250000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 26.2.7n0dv0h.exe.1250000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO2091185.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO2091185.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO2091185.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO2091185.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 28.2.7n0dv0h.exe.e80000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 28.2.7n0dv0h.exe.e80000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00419CA0 NtCreateFile,3_2_00419CA0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00419D50 NtReadFile,3_2_00419D50
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00419DD0 NtClose,3_2_00419DD0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00419E80 NtAllocateVirtualMemory,3_2_00419E80
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00419C9A NtCreateFile,3_2_00419C9A
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00419D4A NtReadFile,3_2_00419D4A
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00419EFA NtAllocateVirtualMemory,3_2_00419EFA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E895D0 NtClose,LdrInitializeThunk,9_2_04E895D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89560 NtWriteFile,LdrInitializeThunk,9_2_04E89560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89540 NtReadFile,LdrInitializeThunk,9_2_04E89540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E896E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_04E896E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E896D0 NtCreateKey,LdrInitializeThunk,9_2_04E896D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_04E89660
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89650 NtQueryValueKey,LdrInitializeThunk,9_2_04E89650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89610 NtEnumerateValueKey,LdrInitializeThunk,9_2_04E89610
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89FE0 NtCreateMutant,LdrInitializeThunk,9_2_04E89FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89780 NtMapViewOfSection,LdrInitializeThunk,9_2_04E89780
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89770 NtSetInformationFile,LdrInitializeThunk,9_2_04E89770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89710 NtQueryInformationToken,LdrInitializeThunk,9_2_04E89710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89860 NtQuerySystemInformation,LdrInitializeThunk,9_2_04E89860
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89840 NtDelayExecution,LdrInitializeThunk,9_2_04E89840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E899A0 NtCreateSection,LdrInitializeThunk,9_2_04E899A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_04E89910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89A50 NtCreateFile,LdrInitializeThunk,9_2_04E89A50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89B00 NtSetValueKey,LdrInitializeThunk,9_2_04E89B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E895F0 NtQueryInformationFile,9_2_04E895F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89520 NtWaitForSingleObject,9_2_04E89520
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E8AD30 NtSetContextThread,9_2_04E8AD30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89670 NtQueryInformationProcess,9_2_04E89670
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E897A0 NtUnmapViewOfSection,9_2_04E897A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89760 NtOpenProcess,9_2_04E89760
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E8A770 NtOpenThread,9_2_04E8A770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89730 NtQueryVirtualMemory,9_2_04E89730
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E8A710 NtOpenProcessToken,9_2_04E8A710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E898F0 NtReadVirtualMemory,9_2_04E898F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E898A0 NtWriteVirtualMemory,9_2_04E898A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E8B040 NtSuspendThread,9_2_04E8B040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89820 NtEnumerateKey,9_2_04E89820
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E899D0 NtCreateProcessEx,9_2_04E899D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89950 NtQueueApcThread,9_2_04E89950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89A80 NtOpenDirectoryObject,9_2_04E89A80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89A20 NtResumeThread,9_2_04E89A20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89A00 NtProtectVirtualMemory,9_2_04E89A00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E89A10 NtQuerySection,9_2_04E89A10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E8A3B0 NtGetContextThread,9_2_04E8A3B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C19CA0 NtCreateFile,9_2_00C19CA0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C19DD0 NtClose,9_2_00C19DD0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C19D50 NtReadFile,9_2_00C19D50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C19E80 NtAllocateVirtualMemory,9_2_00C19E80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C19C9A NtCreateFile,9_2_00C19C9A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C19D4A NtReadFile,9_2_00C19D4A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C19EFA NtAllocateVirtualMemory,9_2_00C19EFA
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009856B01_2_009856B0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009A51B01_2_009A51B0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009B73B01_2_009B73B0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009A6FA01_2_009A6FA0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009D96A01_2_009D96A0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_0099B5D01_2_0099B5D0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009E7EF01_2_009E7EF0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009CC5E01_2_009CC5E0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009E25E01_2_009E25E0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009ACA101_2_009ACA10
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009C4C001_2_009C4C00
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009C87301_2_009C8730
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009EEE301_2_009EEE30
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009813201_2_00981320
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009CE1201_2_009CE120
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_0098FE501_2_0098FE50
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009B0C501_2_009B0C50
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009C01501_2_009C0150
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009BCA701_2_009BCA70
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009D53701_2_009D5370
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009999601_2_00999960
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009EAA601_2_009EAA60
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0041E1173_2_0041E117
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00402D873_2_00402D87
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00409E1F3_2_00409E1F
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00409E203_2_00409E20
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009AA8093_2_009AA809
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009A51B03_2_009A51B0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0099711E3_2_0099711E
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009CE1203_2_009CE120
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009931533_2_00993153
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009C01503_2_009C0150
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009971713_2_00997171
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009999603_2_00999960
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009ACA103_2_009ACA10
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009BCA703_2_009BCA70
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009EAA603_2_009EAA60
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009B73B03_2_009B73B0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009813203_2_00981320
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009D53703_2_009D5370
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009C4C003_2_009C4C00
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_00986C2C3_2_00986C2C
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009B0C503_2_009B0C50
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009B059F3_2_009B059F
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009965AC3_2_009965AC
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0099B5D03_2_0099B5D0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0098CDF23_2_0098CDF2
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009CC5E03_2_009CC5E0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009E25E03_2_009E25E0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009856B03_2_009856B0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009D96A03_2_009D96A0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009E7EF03_2_009E7EF0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009EEE303_2_009EEE30
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0098FE503_2_0098FE50
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009A6FA03_2_009A6FA0
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_009C87303_2_009C8730
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F044969_2_04F04496
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E6B4779_2_04E6B477
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F0D4669_2_04F0D466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E5841F9_2_04E5841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E5D5E09_2_04E5D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F125DD9_2_04F125DD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E725819_2_04E72581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F02D829_2_04F02D82
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F11D559_2_04F11D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E40D209_2_04E40D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F12D079_2_04F12D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F12EF79_2_04F12EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E66E309_2_04E66E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F0D6169_2_04F0D616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F11FF19_2_04F11FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F1DFCE9_2_04F1DFCE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F128EC9_2_04F128EC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E720A09_2_04E720A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F120A89_2_04F120A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E5B0909_2_04E5B090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F1E8249_2_04F1E824
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E6A8309_2_04E6A830
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F010029_2_04F01002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E699BF9_2_04E699BF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E641209_2_04E64120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E4F9009_2_04E4F900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F04AEF9_2_04F04AEF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F122AE9_2_04F122AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04EFFA2B9_2_04EFFA2B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E6B2369_2_04E6B236
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04EF23E39_2_04EF23E3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F0DBD29_2_04F0DBD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F003DA9_2_04F003DA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E7ABD89_2_04E7ABD8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E7EBB09_2_04E7EBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E7138B9_2_04E7138B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E6EB9A9_2_04E6EB9A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04EECB4F9_2_04EECB4F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E6AB409_2_04E6AB40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04F12B289_2_04F12B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_04E6A3099_2_04E6A309
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C1E1179_2_00C1E117
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C02D879_2_00C02D87
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C02D909_2_00C02D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C09E1F9_2_00C09E1F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C09E209_2_00C09E20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 9_2_00C02FB09_2_00C02FB0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_00234C0026_2_00234C00
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0021A80926_2_0021A809
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_001F6C2C26_2_001F6C2C
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_00220C5026_2_00220C50
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0023E12026_2_0023E120
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0020711E26_2_0020711E
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0020996026_2_00209960
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0020717126_2_00207171
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0023015026_2_00230150
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0020315326_2_00203153
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_002065AC26_2_002065AC
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_002151B026_2_002151B0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0022059F26_2_0022059F
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0023C5E026_2_0023C5E0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_002525E026_2_002525E0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_001FCDF226_2_001FCDF2
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0020B5D026_2_0020B5D0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0025EE3026_2_0025EE30
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0021CA1026_2_0021CA10
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0025AA6026_2_0025AA60
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_001FFE5026_2_001FFE50
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0022CA7026_2_0022CA70
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_002496A026_2_002496A0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_001F56B026_2_001F56B0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_00257EF026_2_00257EF0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0023873026_2_00238730
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_001F132026_2_001F1320
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_0024537026_2_00245370
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_00216FA026_2_00216FA0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 26_2_002273B026_2_002273B0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_00234C0028_2_00234C00
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0021A80928_2_0021A809
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_001F6C2C28_2_001F6C2C
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_00220C5028_2_00220C50
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0023E12028_2_0023E120
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0020711E28_2_0020711E
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0020996028_2_00209960
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0020717128_2_00207171
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0023015028_2_00230150
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0020315328_2_00203153
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_002065AC28_2_002065AC
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_002151B028_2_002151B0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0022059F28_2_0022059F
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0023C5E028_2_0023C5E0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_002525E028_2_002525E0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_001FCDF228_2_001FCDF2
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0020B5D028_2_0020B5D0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0025EE3028_2_0025EE30
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0021CA1028_2_0021CA10
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0025AA6028_2_0025AA60
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_001FFE5028_2_001FFE50
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0022CA7028_2_0022CA70
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_002496A028_2_002496A0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_001F56B028_2_001F56B0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_00257EF028_2_00257EF0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0023873028_2_00238730
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_001F132028_2_001F1320
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_0024537028_2_00245370
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_00216FA028_2_00216FA0
          Source: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeCode function: 28_2_002273B028_2_002273B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04E4B150 appears 139 times
          Source: PO2091185.exe, 00000001.00000003.380916142.00000000023F6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO2091185.exe
          Source: PO2091185.exe, 00000003.00000002.420740129.000000000124F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO2091185.exe
          Source: PO2091185.exe, 00000003.00000002.419747289.0000000001100000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs PO2091185.exe
          Source: 00000009.00000002.621352504.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.621352504.00000000010F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.384843456.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.384843456.0000000000690000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.621333766.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.621333766.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.419208489.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.419208489.0000000000A20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.621083500.0000000000C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.621083500.0000000000C00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.418327721.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.418327721.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001C.00000002.639165272.0000000000E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001C.00000002.639165272.0000000000E80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.419280670.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.419280670.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001A.00000002.639420792.0000000001250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001A.00000002.639420792.0000000001250000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.PO2091185.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.PO2091185.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.PO2091185.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.PO2091185.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 26.2.7n0dv0h.exe.1250000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 26.2.7n0dv0h.exe.1250000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 28.2.7n0dv0h.exe.e80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 28.2.7n0dv0h.exe.e80000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 26.2.7n0dv0h.exe.1250000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 26.2.7n0dv0h.exe.1250000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO2091185.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO2091185.exe.690000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO2091185.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.PO2091185.exe.690000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 28.2.7n0dv0h.exe.e80000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 28.2.7n0dv0h.exe.e80000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@17/5@6/1
          Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\L6827ST2Jump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6232:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4892:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:408:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Lopxt1nnxJump to behavior
          Source: PO2091185.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO2091185.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO2091185.exeMetadefender: Detection: 13%
          Source: PO2091185.exeReversingLabs: Detection: 25%
          Source: C:\Users\user\Desktop\PO2091185.exeFile read: C:\Users\user\Desktop\PO2091185.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO2091185.exe 'C:\Users\user\Desktop\PO2091185.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\PO2091185.exe 'C:\Users\user\Desktop\PO2091185.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO2091185.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe 'C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe 'C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO2091185.exeProcess created: C:\Users\user\Desktop\PO2091185.exe 'C:\Users\user\Desktop\PO2091185.exe' Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe 'C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe' Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe 'C:\Program Files (x86)\Lopxt1nnx\7n0dv0h.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO2091185.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile written: C:\Users\user\AppData\Roaming\L6827ST2\L68logri.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: PO2091185.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: PO2091185.exe, 00000003.00000002.419747289.0000000001100000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.401901299.0000000007640000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO2091185.exe, 00000001.00000003.380226130.00000000022E0000.00000004.00000001.sdmp, PO2091185.exe, 00000003.00000002.419891383.0000000001130000.00000040.00000001.sdmp, wscript.exe, 00000009.00000002.676135265.0000000004F3F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO2091185.exe, 00000001.00000003.380226130.00000000022E0000.00000004.00000001.sdmp, PO2091185.exe, 00000003.00000002.419891383.0000000001130000.00000040.00000001.sdmp, wscript.exe
          Source: Binary string: wscript.pdb source: PO2091185.exe, 00000003.00000002.419747289.0000000001100000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.401901299.0000000007640000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009F59AB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,1_2_009F59AB
          Source: 7n0dv0h.exe.4.drStatic PE information: real checksum: 0x87e21 should be: 0xb2488
          Source: PO2091185.exeStatic PE information: real checksum: 0x87e21 should be: 0xb2488
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 1_2_009F4DE5 push ecx; ret 1_2_009F4DF8
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0041D08F push edi; ret 3_2_0041D091
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0041CDF5 push eax; ret 3_2_0041CE48
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0041CE42 push eax; ret 3_2_0041CE48
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0041CE4B push eax; ret 3_2_0041CEB2
          Source: C:\Users\user\Desktop\PO2091185.exeCode function: 3_2_0041D614