Loading ...

Play interactive tourEdit tour

Analysis Report #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe

Overview

General Information

Sample Name:#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe
Analysis ID:287408
MD5:ab4b55dfcb65cc876f4626bc98abf620
SHA1:d2c16d803d620179ee5a147d7eca89fe1f26023f
SHA256:e277d95888a1126812c2581b9678bb238c0154919747ea1dc076876f27dac1d6

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe (PID: 5852 cmdline: 'C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe' MD5: AB4B55DFCB65CC876F4626BC98ABF620)
    • #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe (PID: 6088 cmdline: {path} MD5: AB4B55DFCB65CC876F4626BC98ABF620)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 2328 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • cmd.exe (PID: 1420 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6000 cmdline: /c del 'C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • 9r-x8fdazh.exe (PID: 5640 cmdline: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exe MD5: AB4B55DFCB65CC876F4626BC98ABF620)
          • 9r-x8fdazh.exe (PID: 6460 cmdline: {path} MD5: AB4B55DFCB65CC876F4626BC98ABF620)
        • 9r-x8fdazh.exe (PID: 6612 cmdline: 'C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exe' MD5: AB4B55DFCB65CC876F4626BC98ABF620)
          • 9r-x8fdazh.exe (PID: 6412 cmdline: {path} MD5: AB4B55DFCB65CC876F4626BC98ABF620)
        • colorcpl.exe (PID: 6532 cmdline: C:\Windows\SysWOW64\colorcpl.exe MD5: 746F3B5E7652EA0766BA10414D317981)
        • autoconv.exe (PID: 6140 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • autochk.exe (PID: 6288 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001E.00000002.638042290.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000001E.00000002.638042290.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000001E.00000002.638042290.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.445609083.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.445609083.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 43 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18429:$sqlite3step: 68 34 1C 7B E1
        • 0x1853c:$sqlite3step: 68 34 1C 7B E1
        • 0x18458:$sqlite3text: 68 38 2A 90 C5
        • 0x1857d:$sqlite3text: 68 38 2A 90 C5
        • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
        1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x149a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14491:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14aa7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14c1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x989a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1370c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa593:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19d17:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1ad1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Ia2kdqd0p\9r-x8fdazh.exeVirustotal: Detection: 71%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Ia2kdqd0p\9r-x8fdazh.exeReversingLabs: Detection: 79%
          Multi AV Scanner detection for submitted fileShow sources
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeVirustotal: Detection: 71%Perma Link
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeReversingLabs: Detection: 79%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.638042290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.445609083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.639914357.0000000000B60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.394346469.0000000003C38000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.446556673.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.630954569.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.632686579.0000000001060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.632840209.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.641168423.0000000003380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.640962224.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.635115162.0000000003240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.446328615.0000000001250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.623136307.0000000003D68000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.619309448.0000000003708000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.640276611.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.9r-x8fdazh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.9r-x8fdazh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.9r-x8fdazh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.9r-x8fdazh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Ia2kdqd0p\9r-x8fdazh.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeJoe Sandbox ML: detected
          Source: 1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 30.2.9r-x8fdazh.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 29.2.9r-x8fdazh.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081B89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,10_2_0081B89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_008268BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,10_2_008268BA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0082245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,10_2_0082245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_008331DC FindFirstFileW,FindNextFileW,FindClose,10_2_008331DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_008185EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,10_2_008185EA
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 4x nop then pop edi1_2_00417D98

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.64:80 -> 192.168.2.3:49761
          Source: global trafficHTTP traffic detected: GET /ukj/?pPj8qXg=nfV8ICU5F31/otOpT/nvo9icdchybRtTRlfa7do5yWAfHEUbp1LrsTAABMRh5A43kRmJ&APcTz4=djFLWP3xX4c8 HTTP/1.1Host: www.anxiousgalco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.64 23.227.38.64
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /ukj/?pPj8qXg=nfV8ICU5F31/otOpT/nvo9icdchybRtTRlfa7do5yWAfHEUbp1LrsTAABMRh5A43kRmJ&APcTz4=djFLWP3xX4c8 HTTP/1.1Host: www.anxiousgalco.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.anxiousgalco.com
          Source: explorer.exe, 00000002.00000000.427273658.000000000E230000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.423272583.0000000007E2E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.394279567.0000000002C31000.00000004.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.619202703.0000000002701000.00000004.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.622753427.0000000002D61000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
          Source: explorer.exe, 00000002.00000000.398685549.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.421794680.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.397718592.0000000006AE2000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.425027504.000000000C230000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001B.00000002.624148559.0000000005690000.00000002.00000001.sdmp, 9r-x8fdazh.exe, 0000001C.00000002.627868573.0000000005DC0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmd.exe, 0000000A.00000002.641110777.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: cmd.exe, 0000000A.00000002.641110777.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: cmd.exe, 0000000A.00000002.641110777.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: cmd.exe, 0000000A.00000002.641110777.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10336
          Source: cmd.exe, 0000000A.00000002.640934274.0000000002F78000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt
          Source: cmd.exe, 0000000A.00000002.641110777.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
          Source: cmd.exe, 0000000A.00000002.641110777.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: cmd.exe, 0000000A.00000002.641110777.00000000031A1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000001E.00000002.638042290.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.445609083.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.639914357.0000000000B60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.394346469.0000000003C38000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.446556673.00000000016D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.630954569.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.632686579.0000000001060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001D.00000002.632840209.00000000012B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.641168423.0000000003380000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.640962224.0000000002FB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001F.00000002.635115162.0000000003240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.446328615.0000000001250000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001C.00000002.623136307.0000000003D68000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001B.00000002.619309448.0000000003708000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001E.00000002.640276611.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.9r-x8fdazh.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.9r-x8fdazh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 29.2.9r-x8fdazh.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 30.2.9r-x8fdazh.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\N054R668\N05logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\N054R668\N05logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000001E.00000002.638042290.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001E.00000002.638042290.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.445609083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.445609083.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.639914357.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.639914357.0000000000B60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.394346469.0000000003C38000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.394346469.0000000003C38000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.446556673.00000000016D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.446556673.00000000016D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.630954569.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.630954569.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.632686579.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.632686579.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001D.00000002.632840209.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001D.00000002.632840209.00000000012B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.641168423.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.641168423.0000000003380000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.640962224.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.640962224.0000000002FB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001F.00000002.635115162.0000000003240000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001F.00000002.635115162.0000000003240000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.446328615.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.446328615.0000000001250000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001C.00000002.623136307.0000000003D68000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001C.00000002.623136307.0000000003D68000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001B.00000002.619309448.0000000003708000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001B.00000002.619309448.0000000003708000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001E.00000002.640276611.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001E.00000002.640276611.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.2.9r-x8fdazh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.2.9r-x8fdazh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 30.2.9r-x8fdazh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 30.2.9r-x8fdazh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 29.2.9r-x8fdazh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 29.2.9r-x8fdazh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 30.2.9r-x8fdazh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 30.2.9r-x8fdazh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_00419830 NtCreateFile,1_2_00419830
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_004198E0 NtReadFile,1_2_004198E0
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_00419960 NtClose,1_2_00419960
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_00419A10 NtAllocateVirtualMemory,1_2_00419A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_008158A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,10_2_008158A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_008184BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,10_2_008184BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081B4C0 NtQueryInformationToken,10_2_0081B4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081B4F8 NtQueryInformationToken,NtQueryInformationToken,10_2_0081B4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081B42E NtOpenThreadToken,NtOpenProcessToken,NtClose,10_2_0081B42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_00836D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,10_2_00836D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0083B5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,10_2_0083B5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_00839AB4 NtSetInformationFile,10_2_00839AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_008183F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,10_2_008183F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489770 NtSetInformationFile,LdrInitializeThunk,10_2_03489770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489B00 NtSetValueKey,LdrInitializeThunk,10_2_03489B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489710 NtQueryInformationToken,LdrInitializeThunk,10_2_03489710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489FE0 NtCreateMutant,LdrInitializeThunk,10_2_03489FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489780 NtMapViewOfSection,LdrInitializeThunk,10_2_03489780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489A50 NtCreateFile,LdrInitializeThunk,10_2_03489A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034896D0 NtCreateKey,LdrInitializeThunk,10_2_034896D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034896E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_034896E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489540 NtReadFile,LdrInitializeThunk,10_2_03489540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489560 NtWriteFile,LdrInitializeThunk,10_2_03489560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_03489910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034895D0 NtClose,LdrInitializeThunk,10_2_034895D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034899A0 NtCreateSection,LdrInitializeThunk,10_2_034899A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489840 NtDelayExecution,LdrInitializeThunk,10_2_03489840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489860 NtQuerySystemInformation,LdrInitializeThunk,10_2_03489860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489760 NtOpenProcess,10_2_03489760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0348A770 NtOpenThread,10_2_0348A770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0348A710 NtOpenProcessToken,10_2_0348A710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489730 NtQueryVirtualMemory,10_2_03489730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034897A0 NtUnmapViewOfSection,10_2_034897A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0348A3B0 NtGetContextThread,10_2_0348A3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489650 NtQueryValueKey,10_2_03489650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489660 NtAllocateVirtualMemory,10_2_03489660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489670 NtQueryInformationProcess,10_2_03489670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489A00 NtProtectVirtualMemory,10_2_03489A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489610 NtEnumerateValueKey,10_2_03489610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489A10 NtQuerySection,10_2_03489A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489A20 NtResumeThread,10_2_03489A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489A80 NtOpenDirectoryObject,10_2_03489A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489950 NtQueueApcThread,10_2_03489950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489520 NtWaitForSingleObject,10_2_03489520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0348AD30 NtSetContextThread,10_2_0348AD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034899D0 NtCreateProcessEx,10_2_034899D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034895F0 NtQueryInformationFile,10_2_034895F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0348B040 NtSuspendThread,10_2_0348B040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03489820 NtEnumerateKey,10_2_03489820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034898F0 NtReadVirtualMemory,10_2_034898F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034898A0 NtWriteVirtualMemory,10_2_034898A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_00826550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,10_2_00826550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0082374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,10_2_0082374E
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_0118C1240_2_0118C124
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_0118E5700_2_0118E570
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_0118E5600_2_0118E560
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_074B36B80_2_074B36B8
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_074B34320_2_074B3432
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_074B36A80_2_074B36A8
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_074B12280_2_074B1228
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_074B31480_2_074B3148
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_074B00400_2_074B0040
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_074B00060_2_074B0006
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_08D28CA80_2_08D28CA8
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_08D24D600_2_08D24D60
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_08D282C80_2_08D282C8
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_08D25A080_2_08D25A08
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_08D29BE00_2_08D29BE0
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_08D2C3510_2_08D2C351
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_08D287120_2_08D28712
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 0_2_08D2F8E00_2_08D2F8E0
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_0041C9411_2_0041C941
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_0041D1431_2_0041D143
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_0041DA951_2_0041DA95
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_0041D29F1_2_0041D29F
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_0041DDD81_2_0041DDD8
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_00402D8D1_2_00402D8D
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_00409F5C1_2_00409F5C
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_00409F5F1_2_00409F5F
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_00409F601_2_00409F60
          Source: C:\Users\user\Desktop\#Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_008148E610_2_008148E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_00835CEA10_2_00835CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_00819CF010_2_00819CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081D80310_2_0081D803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081E04010_2_0081E040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081719010_2_00817190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_008331DC10_2_008331DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0083350610_2_00833506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0082655010_2_00826550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0082196910_2_00821969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_00818AD710_2_00818AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081522610_2_00815226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081FA3010_2_0081FA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_00815E7010_2_00815E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_00825FC810_2_00825FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_00836FF010_2_00836FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0081CB4810_2_0081CB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03512B2810_2_03512B28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0350DBD210_2_0350DBD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03511FF110_2_03511FF1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0347EBB010_2_0347EBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03466E3010_2_03466E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03512EF710_2_03512EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_035122AE10_2_035122AE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03511D5510_2_03511D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0344F90010_2_0344F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03512D0710_2_03512D07
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_03440D2010_2_03440D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0346412010_2_03464120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_035125DD10_2_035125DD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0345D5E010_2_0345D5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0347258110_2_03472581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0350D46610_2_0350D466
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0350100210_2_03501002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0345841F10_2_0345841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_035128EC10_2_035128EC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_0345B09010_2_0345B090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_034720A010_2_034720A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 10_2_035120A810_2_035120A8
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_00C1C12427_2_00C1C124
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_00C1E56027_2_00C1E560
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_00C1E57027_2_00C1E570
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2871127_2_07F28711
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2F64827_2_07F2F648
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F24D6027_2_07F24D60
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F28CB827_2_07F28CB8
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F29BE027_2_07F29BE0
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2C36027_2_07F2C360
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F282D827_2_07F282D8
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F25A1827_2_07F25A18
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F26E8027_2_07F26E80
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2CEE827_2_07F2CEE8
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2BED027_2_07F2BED0
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2BEC027_2_07F2BEC0
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2CEAA27_2_07F2CEAA
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F26E8027_2_07F26E80
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F26E6F27_2_07F26E6F
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2B62027_2_07F2B620
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2B61027_2_07F2B610
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2BCB027_2_07F2BCB0
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F29CBD27_2_07F29CBD
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2BCA027_2_07F2BCA0
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F28CA827_2_07F28CA8
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2C35127_2_07F2C351
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F29B2627_2_07F29B26
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F282C827_2_07F282C8
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F25A0827_2_07F25A08
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F279E227_2_07F279E2
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2C18027_2_07F2C180
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2C17027_2_07F2C170
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2397827_2_07F23978
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2396827_2_07F23968
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2F8E027_2_07F2F8E0
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2004027_2_07F20040
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_07F2000627_2_07F20006
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_092C344027_2_092C3440
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_092C36B827_2_092C36B8
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_092C314827_2_092C3148
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_092C315827_2_092C3158
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_092C003A27_2_092C003A
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_092C100827_2_092C1008
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_092C004027_2_092C0040
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_092C343227_2_092C3432
          Source: C:\Program Files (x86)\Ia2kdqd0p\9r-x8fdazh.exeCode function: 27_2_092C36A827_2_092C36A8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 0344B150 appears 35 times
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.00000002.398627854.0000000007190000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe
          Source: #Uc720#Ud2f0#Uc544#Uc774#Ud14c#Ud06c-#Ubc1c#Uc8fc#Uc11c #Uc1a1#Ubd80#Uc758#Uac74..exe, 00000000.0000