Loading ...

Play interactive tourEdit tour

Analysis Report FtMFciTesQ.exe

Overview

General Information

Sample Name:FtMFciTesQ.exe
Analysis ID:284922
MD5:2fd1db16b85447d203972411b90c0efa
SHA1:60fcaa0e77d32a319b10bd12598873f6a1b60bc5
SHA256:414578aa9e1ab74c43ae636f64758a5a2dd59ab81619aa054de1fb6c9140f2e6

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Hijacks the control flow in another process
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • FtMFciTesQ.exe (PID: 4996 cmdline: 'C:\Users\user\Desktop\FtMFciTesQ.exe' MD5: 2FD1DB16B85447D203972411B90C0EFA)
    • rundll32.exe (PID: 4856 cmdline: rundll32.exe SitulaCystocele,Hurley MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
      • cmd.exe (PID: 6408 cmdline: C:\Windows\system32\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • cmmon32.exe (PID: 5616 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
            • cmd.exe (PID: 6372 cmdline: /c del 'C:\Windows\SysWOW64\cmd.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nx4tzlcht4nhyjh.exe (PID: 5468 cmdline: 'C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5464 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • nx4tzlcht4nhyjh.exe (PID: 5836 cmdline: 'C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.471196941.0000000005040000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.471196941.0000000005040000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.471196941.0000000005040000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.640198352.0000000002A30000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.640198352.0000000002A30000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 10 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.cmd.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.cmd.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.cmd.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17549:$sqlite3step: 68 34 1C 7B E1
        • 0x1765c:$sqlite3step: 68 34 1C 7B E1
        • 0x17578:$sqlite3text: 68 38 2A 90 C5
        • 0x1769d:$sqlite3text: 68 38 2A 90 C5
        • 0x1758b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176b3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.cmd.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.cmd.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: http://www.glowtey.com/c233/Virustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\SitulaCystocele.dllVirustotal: Detection: 10%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: FtMFciTesQ.exeVirustotal: Detection: 17%Perma Link
          Source: FtMFciTesQ.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.471196941.0000000005040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.640198352.0000000002A30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.469706193.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.636206463.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.471177500.0000000005010000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: FtMFciTesQ.exeJoe Sandbox ML: detected
          Source: 2.2.cmd.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10001048 RegDeleteValueA,RegSaveKeyA,WSAAsyncGetServByName,CryptHashData,SwitchToFiber,GetLogicalDriveStringsA,GetNumberOfEventLogRecords,GetTapeStatus,GlobalFree,SetProcessShutdownParameters,WaitForSingleObjectEx,RegLoadKeyA,CryptDestroyHash,UnmapViewOfFile,UnlockFile,GetModuleHandleA,GetProcAddress,GetProcAddress,VirtualAlloc,VirtualAlloc,GetModuleHandleA,1_2_10001048
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_00406469 FindFirstFileA,FindClose,0_2_00406469
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_00402765 FindFirstFileA,0_2_00402765
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_0040592E CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_0040592E
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D8245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,26_2_00D8245C
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,26_2_00D7B89C
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D868BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,26_2_00D868BA
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D931DC FindFirstFileW,FindNextFileW,FindClose,26_2_00D931DC
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D785EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,26_2_00D785EA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10001048 RegDeleteValueA,RegSaveKeyA,WSAAsyncGetServByName,CryptHashData,SwitchToFiber,GetLogicalDriveStringsA,GetNumberOfEventLogRecords,GetTapeStatus,GlobalFree,SetProcessShutdownParameters,WaitForSingleObjectEx,RegLoadKeyA,CryptDestroyHash,UnmapViewOfFile,UnlockFile,GetModuleHandleA,GetProcAddress,GetProcAddress,VirtualAlloc,VirtualAlloc,GetModuleHandleA,1_2_10001048
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi2_2_0041721F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi2_2_0041728F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi2_2_004172AD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi2_2_0040E404
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop esi14_2_02A472AD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop esi14_2_02A4728F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop esi14_2_02A4721F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi14_2_02A3E404

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.3:49749
          Source: global trafficHTTP traffic detected: GET /c233/?tZO4=RSHlPEY6UP6dbeUyIKE98YGH1tkxPcGydt5bbC6UikjHtooFmjecP5AuR3MghYuQVogq&FdCl=xN646nRHJ HTTP/1.1Host: www.shopmaincollection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /c233/?tZO4=RSHlPEY6UP6dbeUyIKE98YGH1tkxPcGydt5bbC6UikjHtooFmjecP5AuR3MghYuQVogq&FdCl=xN646nRHJ HTTP/1.1Host: www.shopmaincollection.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.shopmaincollection.com
          Source: explorer.exe, 00000005.00000003.551171718.000000000E2B0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: r2400.xml.0.drString found in binary or memory: http://gimp-print.sourceforge.net/xsd/gp.xsd-1.0
          Source: reportobjectbar.xml.0.drString found in binary or memory: http://mozilla.org/MPL/2.0/.
          Source: FtMFciTesQ.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: FtMFciTesQ.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: nsrC1D4.tmp.0.drString found in binary or memory: http://openoffice.org/2001/menu
          Source: reportobjectbar.xml.0.drString found in binary or memory: http://openoffice.org/2001/toolbar
          Source: explorer.exe, 00000005.00000000.417761646.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.17aia.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.17aia.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.17aia.com/c233/www.glowtey.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.17aia.comReferer:
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.advincicode.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.advincicode.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.advincicode.com/c233/www.lumenhealthandwellness.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.advincicode.comReferer:
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.affilexample6.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.affilexample6.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.affilexample6.com/c233/www.minimalismoweb.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.affilexample6.comReferer:
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmp, reportobjectbar.xml.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.445499799.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.climpuright.icu
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.climpuright.icu/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.climpuright.icu/c233/www.qualitygenerallegalhelp.website
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.climpuright.icuReferer:
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.concentratedprerolls.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.concentratedprerolls.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.concentratedprerolls.com/c233/www.indiankhedu.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.concentratedprerolls.comReferer:
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: nsrC1D4.tmp.0.drString found in binary or memory: http://www.freedesktop.org/standards/shared-mime-info
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com/c233/www.smartlivegt.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.comReferer:
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.henesymarte.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.henesymarte.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.henesymarte.com/c233/www.the-mistershop.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.henesymarte.comReferer:
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.indiankhedu.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.indiankhedu.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.indiankhedu.com/c233/www.advincicode.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.indiankhedu.comReferer:
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.lumenhealthandwellness.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.lumenhealthandwellness.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.lumenhealthandwellness.com/c233/www.pro-ecare.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.lumenhealthandwellness.comReferer:
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.minimalismoweb.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.minimalismoweb.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.minimalismoweb.com/c233/3
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.minimalismoweb.comReferer:
          Source: nsrC1D4.tmp.0.drString found in binary or memory: http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.pro-ecare.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.pro-ecare.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.pro-ecare.com/c233/www.snelitepainting.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.pro-ecare.comReferer:
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.qualitygenerallegalhelp.website
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.qualitygenerallegalhelp.website/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.qualitygenerallegalhelp.website/c233/www.henesymarte.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.qualitygenerallegalhelp.websiteReferer:
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.shopmaincollection.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.shopmaincollection.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.shopmaincollection.com/c233/www.17aia.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.shopmaincollection.comReferer:
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.smartlivegt.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.smartlivegt.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.smartlivegt.com/c233/www.climpuright.icu
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.smartlivegt.comReferer:
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.snelitepainting.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.snelitepainting.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.snelitepainting.com/c233/www.affilexample6.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.snelitepainting.comReferer:
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.the-mistershop.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.the-mistershop.com/c233/
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.the-mistershop.com/c233/www.concentratedprerolls.com
          Source: explorer.exe, 00000005.00000003.552144224.000000000E204000.00000004.00000001.sdmpString found in binary or memory: http://www.the-mistershop.comReferer:
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.448952250.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmmon32.exe, 0000000E.00000002.637848371.0000000000442000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: cmmon32.exe, 0000000E.00000002.637848371.0000000000442000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: cmmon32.exe, 0000000E.00000002.637848371.0000000000442000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: cmmon32.exe, 0000000E.00000002.640143567.00000000027F8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt
          Source: cmmon32.exe, 0000000E.00000002.637848371.0000000000442000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033U
          Source: cmmon32.exe, 0000000E.00000002.637848371.0000000000442000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfu
          Source: cmmon32.exe, 0000000E.00000002.637848371.0000000000442000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: cmmon32.exe, 0000000E.00000002.637848371.0000000000442000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_004053CB GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004053CB

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.471196941.0000000005040000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.640198352.0000000002A30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.469706193.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.636206463.00000000001E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.471177500.0000000005010000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\50PAP-W8\50Plogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\50PAP-W8\50Plogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.471196941.0000000005040000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.471196941.0000000005040000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.640198352.0000000002A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.640198352.0000000002A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.469706193.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.469706193.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.636206463.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.636206463.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.471177500.0000000005010000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.471177500.0000000005010000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419CA0 NtCreateFile,2_2_00419CA0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419D50 NtReadFile,2_2_00419D50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419DD0 NtClose,2_2_00419DD0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419C9A NtCreateFile,2_2_00419C9A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419D4A NtReadFile,2_2_00419D4A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00419DCA NtClose,2_2_00419DCA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9540 NtReadFile,LdrInitializeThunk,2_2_052B9540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B95D0 NtClose,LdrInitializeThunk,2_2_052B95D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9710 NtQueryInformationToken,LdrInitializeThunk,2_2_052B9710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B97A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_052B97A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9780 NtMapViewOfSection,LdrInitializeThunk,2_2_052B9780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B96E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_052B96E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_052B9910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B99A0 NtCreateSection,LdrInitializeThunk,2_2_052B99A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9860 NtQuerySystemInformation,LdrInitializeThunk,2_2_052B9860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9840 NtDelayExecution,LdrInitializeThunk,2_2_052B9840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9A20 NtResumeThread,LdrInitializeThunk,2_2_052B9A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9A50 NtCreateFile,LdrInitializeThunk,2_2_052B9A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9520 NtWaitForSingleObject,2_2_052B9520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052BAD30 NtSetContextThread,2_2_052BAD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9560 NtWriteFile,2_2_052B9560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B95F0 NtQueryInformationFile,2_2_052B95F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9730 NtQueryVirtualMemory,2_2_052B9730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052BA710 NtOpenProcessToken,2_2_052BA710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9760 NtOpenProcess,2_2_052B9760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9770 NtSetInformationFile,2_2_052B9770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052BA770 NtOpenThread,2_2_052BA770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9FE0 NtCreateMutant,2_2_052B9FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9610 NtEnumerateValueKey,2_2_052B9610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9660 NtAllocateVirtualMemory,2_2_052B9660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9670 NtQueryInformationProcess,2_2_052B9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9650 NtQueryValueKey,2_2_052B9650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B96D0 NtCreateKey,2_2_052B96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9950 NtQueueApcThread,2_2_052B9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B99D0 NtCreateProcessEx,2_2_052B99D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9820 NtEnumerateKey,2_2_052B9820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052BB040 NtSuspendThread,2_2_052BB040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B98A0 NtWriteVirtualMemory,2_2_052B98A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B98F0 NtReadVirtualMemory,2_2_052B98F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9B00 NtSetValueKey,2_2_052B9B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052BA3B0 NtGetContextThread,2_2_052BA3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9A00 NtProtectVirtualMemory,2_2_052B9A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9A10 NtQuerySection,2_2_052B9A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052B9A80 NtOpenDirectoryObject,2_2_052B9A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_02DC54E0 NtDelayExecution,2_2_02DC54E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_02DC318C NtWriteVirtualMemory,2_2_02DC318C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519840 NtDelayExecution,LdrInitializeThunk,14_2_04519840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519860 NtQuerySystemInformation,LdrInitializeThunk,14_2_04519860
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519540 NtReadFile,LdrInitializeThunk,14_2_04519540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519560 NtWriteFile,LdrInitializeThunk,14_2_04519560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04519910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045195D0 NtClose,LdrInitializeThunk,14_2_045195D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045199A0 NtCreateSection,LdrInitializeThunk,14_2_045199A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519650 NtQueryValueKey,LdrInitializeThunk,14_2_04519650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519A50 NtCreateFile,LdrInitializeThunk,14_2_04519A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04519660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519610 NtEnumerateValueKey,LdrInitializeThunk,14_2_04519610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045196D0 NtCreateKey,LdrInitializeThunk,14_2_045196D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045196E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_045196E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519770 NtSetInformationFile,LdrInitializeThunk,14_2_04519770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519710 NtQueryInformationToken,LdrInitializeThunk,14_2_04519710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519B00 NtSetValueKey,LdrInitializeThunk,14_2_04519B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519FE0 NtCreateMutant,LdrInitializeThunk,14_2_04519FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519780 NtMapViewOfSection,LdrInitializeThunk,14_2_04519780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_0451B040 NtSuspendThread,14_2_0451B040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519820 NtEnumerateKey,14_2_04519820
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045198F0 NtReadVirtualMemory,14_2_045198F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045198A0 NtWriteVirtualMemory,14_2_045198A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519950 NtQueueApcThread,14_2_04519950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_0451AD30 NtSetContextThread,14_2_0451AD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519520 NtWaitForSingleObject,14_2_04519520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045199D0 NtCreateProcessEx,14_2_045199D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045195F0 NtQueryInformationFile,14_2_045195F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519670 NtQueryInformationProcess,14_2_04519670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519A10 NtQuerySection,14_2_04519A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519A00 NtProtectVirtualMemory,14_2_04519A00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519A20 NtResumeThread,14_2_04519A20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519A80 NtOpenDirectoryObject,14_2_04519A80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_0451A770 NtOpenThread,14_2_0451A770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519760 NtOpenProcess,14_2_04519760
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_0451A710 NtOpenProcessToken,14_2_0451A710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_04519730 NtQueryVirtualMemory,14_2_04519730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_0451A3B0 NtGetContextThread,14_2_0451A3B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045197A0 NtUnmapViewOfSection,14_2_045197A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A49E80 NtAllocateVirtualMemory,14_2_02A49E80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A49CA0 NtCreateFile,14_2_02A49CA0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A49DD0 NtClose,14_2_02A49DD0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A49D50 NtReadFile,14_2_02A49D50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A49E7A NtAllocateVirtualMemory,14_2_02A49E7A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A49C9A NtCreateFile,14_2_02A49C9A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A49DCA NtClose,14_2_02A49DCA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A49D4A NtReadFile,14_2_02A49D4A
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7B4C0 NtQueryInformationToken,26_2_00D7B4C0
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7B4F8 NtQueryInformationToken,NtQueryInformationToken,26_2_00D7B4F8
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,26_2_00D7B42E
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D784BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,26_2_00D784BE
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D758A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,26_2_00D758A4
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D9B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,26_2_00D9B5E0
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D96D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,26_2_00D96D90
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D99AB4 NtSetInformationFile,26_2_00D99AB4
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D783F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,26_2_00D783F2
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D86550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,26_2_00D86550
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D8374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,26_2_00D8374E
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_004069430_2_00406943
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_0040711A0_2_0040711A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_100042CB1_2_100042CB
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041E4F22_2_0041E4F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402D942_2_00402D94
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041D64C2_2_0041D64C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00409E202_2_00409E20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CEE32_2_0041CEE3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CEE62_2_0041CEE6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041E7532_2_0041E753
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041DF632_2_0041DF63
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05270D202_2_05270D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05341D552_2_05341D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_05296E302_2_05296E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0527F9002_2_0527F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_053310022_2_05331002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0528B0902_2_0528B090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052AEBB02_2_052AEBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_044E841F14_2_044E841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_0459100214_2_04591002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_044EB09014_2_044EB090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045020A014_2_045020A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_045A1D5514_2_045A1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_044DF90014_2_044DF900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_044D0D2014_2_044D0D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_044F412014_2_044F4120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_044ED5E014_2_044ED5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_0450258114_2_04502581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_044F6E3014_2_044F6E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_0450EBB014_2_0450EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4CEE614_2_02A4CEE6
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4CEE314_2_02A4CEE3
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A39E2014_2_02A39E20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A32FB014_2_02A32FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4DF6314_2_02A4DF63
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4E75314_2_02A4E753
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4E4F214_2_02A4E4F2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A32D9014_2_02A32D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A32D9414_2_02A32D94
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D9350626_2_00D93506
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7FA3026_2_00D7FA30
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D96FF026_2_00D96FF0
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D79CF026_2_00D79CF0
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D748E626_2_00D748E6
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D95CEA26_2_00D95CEA
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7E04026_2_00D7E040
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7D80326_2_00D7D803
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D931DC26_2_00D931DC
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7719026_2_00D77190
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D8655026_2_00D86550
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D8196926_2_00D81969
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D78AD726_2_00D78AD7
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D75E7026_2_00D75E70
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7522626_2_00D75226
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D85FC826_2_00D85FC8
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7CB4826_2_00D7CB48
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\X0brp\nx4tzlcht4nhyjh.exe 3685495D051137B1C4EFDE22C26DF0883614B6453B762FA84588DA55ED2E7744
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 044DB150 appears 35 times
          Source: FtMFciTesQ.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: nx4tzlcht4nhyjh.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: nx4tzlcht4nhyjh.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: nx4tzlcht4nhyjh.exe.5.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: sfc.dllJump to behavior
          Source: 00000002.00000002.471196941.0000000005040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.471196941.0000000005040000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.640198352.0000000002A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.640198352.0000000002A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.469706193.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.469706193.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.636206463.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.636206463.00000000001E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.471177500.0000000005010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.471177500.0000000005010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cmd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.cmd.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/24@3/2
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D7C5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,26_2_00D7C5CA
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_004033A9 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,ExitProcess,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_004033A9
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_00404686 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404686
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeCode function: 0_2_00402138 CoCreateInstance,MultiByteToWideChar,0_2_00402138
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile created: C:\Users\user\AppData\Roaming\forJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5464:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7136:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_01
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile created: C:\Users\user\AppData\Local\Temp\nsrC1D3.tmpJump to behavior
          Source: FtMFciTesQ.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe SitulaCystocele,Hurley
          Source: FtMFciTesQ.exeVirustotal: Detection: 17%
          Source: FtMFciTesQ.exeReversingLabs: Detection: 16%
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile read: C:\Users\user\Desktop\FtMFciTesQ.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\FtMFciTesQ.exe 'C:\Users\user\Desktop\FtMFciTesQ.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe SitulaCystocele,Hurley
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe 'C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe 'C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe SitulaCystocele,HurleyJump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe 'C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe' Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe 'C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\SysWOW64\cmd.exe'Jump to behavior
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeFile written: C:\Users\user\AppData\Roaming\50PAP-W8\50Plogri.iniJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: FtMFciTesQ.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: cmd.exe, 00000002.00000002.471218245.0000000005070000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.443771713.0000000007640000.00000002.00000001.sdmp
          Source: Binary string: f:\binaries.x86ret\bin\i386\bbt\opt\bin\i386\vsa7director.pdb source: Vsa7Director.dll.0.dr
          Source: Binary string: cmmon32.pdbGCTL source: cmd.exe, 00000002.00000002.471218245.0000000005070000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: cmd.exe, 00000002.00000002.471329723.0000000005250000.00000040.00000001.sdmp, cmmon32.exe, 0000000E.00000002.642390556.00000000045CF000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: cmmon32.exe, 0000000E.00000002.643256860.00000000049DF000.00000004.00000001.sdmp, nx4tzlcht4nhyjh.exe, 0000001A.00000000.603584485.0000000000D71000.00000020.00020000.sdmp, nx4tzlcht4nhyjh.exe, 0000001C.00000000.621388219.0000000000D71000.00000020.00020000.sdmp, nx4tzlcht4nhyjh.exe.5.dr
          Source: Binary string: wntdll.pdb source: cmd.exe, cmmon32.exe
          Source: Binary string: Microsoft.XslDebugProxy.pdb source: nsrC1D4.tmp.0.dr
          Source: Binary string: PermCalc.pdb source: nsrC1D4.tmp.0.dr
          Source: Binary string: ActiveSyncBootstrap.pdb source: ActiveSyncBootstrap.dll.0.dr
          Source: Binary string: cmd.pdb source: cmmon32.exe, 0000000E.00000002.643256860.00000000049DF000.00000004.00000001.sdmp, nx4tzlcht4nhyjh.exe, nx4tzlcht4nhyjh.exe, 0000001C.00000000.621388219.0000000000D71000.00000020.00020000.sdmp, nx4tzlcht4nhyjh.exe.5.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.443771713.0000000007640000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10006B78 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,1_2_10006B78
          Source: nx4tzlcht4nhyjh.exe.5.drStatic PE information: section name: .didat
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 1_2_10002EED push ecx; ret 1_2_10002F00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004178D6 push eax; retf 2_2_004178DF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041714F push ebp; iretd 2_2_00417159
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CDF5 push eax; ret 2_2_0041CE48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CE42 push eax; ret 2_2_0041CE48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CE4B push eax; ret 2_2_0041CEB2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_004166C8 push FFFFFFFAh; retf 2_2_004166CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_0041CEAC push eax; ret 2_2_0041CEB2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_00408764 push es; ret 2_2_0040876A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 2_2_052CD0D1 push ecx; ret 2_2_052CD0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_0452D0D1 push ecx; ret 14_2_0452D0E4
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A478D6 push eax; retf 14_2_02A478DF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4714F push ebp; iretd 14_2_02A47159
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4CEAC push eax; ret 14_2_02A4CEB2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4CE42 push eax; ret 14_2_02A4CE48
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4CE4B push eax; ret 14_2_02A4CEB2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A38764 push es; ret 14_2_02A3876A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4DCB3 push 0513817Bh; retf 14_2_02A4DCB8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 14_2_02A4CDF5 push eax; ret 14_2_02A4CE48
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D876D1 push ecx; ret 26_2_00D876E4
          Source: C:\Program Files (x86)\X0brp\nx4tzlcht4nhyjh.exeCode function: 26_2_00D876BD push ecx; ret 26_2_00D876D0
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\Vsa7Director.dllJump to dropped file
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\PermCalc.exeJump to dropped file
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\MicrosoftVisualStudioUI.dllJump to dropped file
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\NatDbgDEUI.dllJump to dropped file
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile created: C:\Users\user\AppData\Local\Temp\mode\Thumbs.db\intern\ActiveSyncBootstrap.dllJump to dropped file
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile created: C:\Users\user\AppData\Local\Temp\SitulaCystocele.dllJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\X0brp\nx4tzlcht4nhyjh.exeJump to dropped file
          Source: C:\Users\user\Desktop\FtMFciTesQ.exeFile created: C:\Users\user\AppData\Roaming\for\page_1\MicrosoftXslDebugProxy.exeJump to dropped file
          Source: C:\Windows\SysWOW64\cmmon32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ONU0IDRHQZCJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ONU0IDRHQZCJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xE8
          Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77CD5050 value: E9 EB 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77CD50F0 value: E9 5B 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77CD5180 value: E9 9B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77CD5190 value: E9 CB 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77CD51A0 value: E9 4B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77CEFEE0 value: E9 9B FF FF FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77C833C0 value: E9 FB 6F 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77C84760 value: E9 2B 6B 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77C46590 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77C4B510 value: E9 2B 53 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77C6C490 value: E9 0B 00 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77C8EE00 value: E9 E1 52 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 4856 base: 77C8EFD0 value: E9 26 5B 00 00 Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6408 base: 77CD5050 value: E9 EB 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6408 base: 77CD50F0 value: E9 5B 61 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6408 base: 77CD5180 value: E9 9B 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6408 base: 77CD5190 value: E9 CB 60 FB FF Jump to behavior
          Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 6408 base: 77CD51A0 value: E9 4B 60 FB FF Jump to behavior
          Source: C: