Loading ...

Play interactive tourEdit tour

Analysis Report formbook_payload.exe

Overview

General Information

Sample Name:formbook_payload.exe
Analysis ID:289093
MD5:d6a689d265ef751ef429e140ac05cfff
SHA1:541c663afddfa3e55b6f83d1bc96a32bbb449a09
SHA256:fd0877627dc7213734ca8d6f6585ff8ef6e4ed8301a21bc570f39100d0c143a8

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code references suspicious native API functions
Hides threads from debuggers
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • formbook_payload.exe (PID: 2452 cmdline: 'C:\Users\user\Desktop\formbook_payload.exe' MD5: D6A689D265EF751EF429E140AC05CFFF)
    • formbook_payload.exe (PID: 3428 cmdline: C:\Users\user\Desktop\formbook_payload.exe MD5: D6A689D265EF751EF429E140AC05CFFF)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • svchost.exe (PID: 6600 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
        • cmd.exe (PID: 5676 cmdline: /c del 'C:\Users\user\Desktop\formbook_payload.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • WerFault.exe (PID: 1928 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 848 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.425066982.0000000001400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.425066982.0000000001400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x18f77:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x19fea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.425066982.0000000001400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16059:$sqlite3step: 68 34 1C 7B E1
    • 0x1616c:$sqlite3step: 68 34 1C 7B E1
    • 0x16088:$sqlite3text: 68 38 2A 90 C5
    • 0x161ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1609b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161c3:$sqlite3blob: 68 53 D8 7F 8C
    0000000E.00000002.626143852.0000000003840000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000E.00000002.626143852.0000000003840000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18f77:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x19fea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.formbook_payload.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.formbook_payload.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x917a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9ef2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18f77:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19fea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.formbook_payload.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16059:$sqlite3step: 68 34 1C 7B E1
        • 0x1616c:$sqlite3step: 68 34 1C 7B E1
        • 0x16088:$sqlite3text: 68 38 2A 90 C5
        • 0x161ad:$sqlite3text: 68 38 2A 90 C5
        • 0x1609b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x161c3:$sqlite3blob: 68 53 D8 7F 8C
        1.2.formbook_payload.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.formbook_payload.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13475:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12f61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13577:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x136ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x857a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x121dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x92f2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18377:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x193ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\Desktop\formbook_payload.exe, ParentImage: C:\Users\user\Desktop\formbook_payload.exe, ParentProcessId: 3428, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6600
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: C:\Users\user\Desktop\formbook_payload.exe, ParentImage: C:\Users\user\Desktop\formbook_payload.exe, ParentProcessId: 3428, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6600

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: formbook_payload.exeAvira: detected
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.425066982.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.626143852.0000000003840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.624774870.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387153989.0000000003E6C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.626184928.0000000003870000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.424951842.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.424082782.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.formbook_payload.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.formbook_payload.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: formbook_payload.exeJoe Sandbox ML: detected
          Source: 0.2.formbook_payload.exe.a80000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 0.0.formbook_payload.exe.a80000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 1.2.formbook_payload.exe.d20000.1.unpackAvira: Label: TR/Dropper.Gen
          Source: 1.0.formbook_payload.exe.d20000.0.unpackAvira: Label: TR/Dropper.Gen
          Source: 1.2.formbook_payload.exe.400000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49767
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49769
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 23.227.38.32:80 -> 192.168.2.3:49771
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=hqqbBV0tUnbf1XYheYmcmAHV7six6FgMl/GeeF/i6LtxzIqJ3tJ1B/UEqdy/W9gVRkC4&MnZ=GXLtz HTTP/1.1Host: www.chsepd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=Of2aIFEqGqaZSU01tED2zDtUGS2BuTTC4sd6snsFqGWk/fnR2snxkIG75VHf2UAJ0o1B HTTP/1.1Host: www.vaytiennhanhhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=ScJKfDLBefexWaL3ktwRyKCghu05nh7OONgRTNAspJE3AFy5AXPSwP2FiLj6keTcPmde&MnZ=GXLtz HTTP/1.1Host: www.binaxnowcovid19.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=CH0nB3OluF49qRSz/OLk4EtJPMsMaw/iehJ+yYvfoA68c6qhDghDV8r53EnzBlz3EcTe HTTP/1.1Host: www.grepreps.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=yQ4M83h6mCL3szU05+AlLjJXCO7kj/quc7kP2vOtrjUS7HiKS67pwsdhPNRwpMvgRme+&MnZ=GXLtz HTTP/1.1Host: www.dynamosdills.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=9QCoIfa5iCzEbN3Z+R0VQ9gIeVK3nbjlwZ/eYJgsZnRvtJdKzbJpmDYy8yv6f2R6bfqj HTTP/1.1Host: www.summitcreators.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=y/yg6nca0XsCzu0iO/J1iPqqOPJ8yJtAtZIup4o9k847awKGzQIlIjJ6GOEhZcKx61/V HTTP/1.1Host: www.hbozoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=XyP58VnLar4+RAv/d7RGEOqH4pOR5mj5cf5OeBalLJidQaj9Eoj8z9kojfq3myKrE19m HTTP/1.1Host: www.cartmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=Nm1g+Cr7PxAWjMuG/lXz57InbucQImWyPlJ6lo+2AgUBGhOlnrczzCcW0Z0mOFR6lVtp&MnZ=GXLtz HTTP/1.1Host: www.slothzzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 35.242.251.130 35.242.251.130
          Source: Joe Sandbox ViewIP Address: 35.242.251.130 35.242.251.130
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=hqqbBV0tUnbf1XYheYmcmAHV7six6FgMl/GeeF/i6LtxzIqJ3tJ1B/UEqdy/W9gVRkC4&MnZ=GXLtz HTTP/1.1Host: www.chsepd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=Of2aIFEqGqaZSU01tED2zDtUGS2BuTTC4sd6snsFqGWk/fnR2snxkIG75VHf2UAJ0o1B HTTP/1.1Host: www.vaytiennhanhhn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=ScJKfDLBefexWaL3ktwRyKCghu05nh7OONgRTNAspJE3AFy5AXPSwP2FiLj6keTcPmde&MnZ=GXLtz HTTP/1.1Host: www.binaxnowcovid19.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=CH0nB3OluF49qRSz/OLk4EtJPMsMaw/iehJ+yYvfoA68c6qhDghDV8r53EnzBlz3EcTe HTTP/1.1Host: www.grepreps.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=yQ4M83h6mCL3szU05+AlLjJXCO7kj/quc7kP2vOtrjUS7HiKS67pwsdhPNRwpMvgRme+&MnZ=GXLtz HTTP/1.1Host: www.dynamosdills.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=9QCoIfa5iCzEbN3Z+R0VQ9gIeVK3nbjlwZ/eYJgsZnRvtJdKzbJpmDYy8yv6f2R6bfqj HTTP/1.1Host: www.summitcreators.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=y/yg6nca0XsCzu0iO/J1iPqqOPJ8yJtAtZIup4o9k847awKGzQIlIjJ6GOEhZcKx61/V HTTP/1.1Host: www.hbozoom.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?MnZ=GXLtz&LZND0=XyP58VnLar4+RAv/d7RGEOqH4pOR5mj5cf5OeBalLJidQaj9Eoj8z9kojfq3myKrE19m HTTP/1.1Host: www.cartmedical.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=Nm1g+Cr7PxAWjMuG/lXz57InbucQImWyPlJ6lo+2AgUBGhOlnrczzCcW0Z0mOFR6lVtp&MnZ=GXLtz HTTP/1.1Host: www.slothzzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /agwz/?LZND0=1nPWTwIhjCwDoHLc2W73eVKnTzc7HaiklWcd/zDksDOCjn2F0sQeE2o9z8X8xeyz6CCc&MnZ=GXLtz HTTP/1.1Host: www.esrasuaklier.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.xfgyzzm.icu
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 23 Sep 2020 12:44:01 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000004.00000000.386230615.000000000E2A8000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authentication
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/authorizationdecisionzhttp://schemas.xmlsoap.o
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirthrhttp://schemas.xmlsoap.org/ws/2005
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressxhttp://schemas.xmlsoap.org/ws/200
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcoderhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/stateorprovince
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddresszhttp://schemas.xmlsoap.org/ws/20
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprintrhttp://schemas.xmlsoap.org/ws/2005/
          Source: WerFault.exe, 00000005.00000003.371885305.0000000004CC0000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/x500distinguishednamejhttp://schemas.xmlsoap.o
          Source: explorer.exe, 00000004.00000002.626509077.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.382798497.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.384136869.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.425066982.0000000001400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.626143852.0000000003840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.624774870.0000000000FA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.387153989.0000000003E6C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.626184928.0000000003870000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.424951842.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.424082782.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.formbook_payload.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.formbook_payload.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.425066982.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.425066982.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.626143852.0000000003840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.626143852.0000000003840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.624774870.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.624774870.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.387153989.0000000003E6C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.387153989.0000000003E6C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.626184928.0000000003870000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.626184928.0000000003870000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.424951842.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.424951842.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.424082782.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.424082782.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.formbook_payload.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.formbook_payload.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.formbook_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.formbook_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_004179B0 NtCreateFile,1_2_004179B0
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00417A60 NtReadFile,1_2_00417A60
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00417AE0 NtClose,1_2_00417AE0
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00417B90 NtAllocateVirtualMemory,1_2_00417B90
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00417A5B NtReadFile,1_2_00417A5B
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00417ADA NtClose,1_2_00417ADA
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00417B8A NtAllocateVirtualMemory,1_2_00417B8A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69A50 NtCreateFile,LdrInitializeThunk,14_2_03D69A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D699A0 NtCreateSection,LdrInitializeThunk,14_2_03D699A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_03D69910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69840 NtDelayExecution,LdrInitializeThunk,14_2_03D69840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69860 NtQuerySystemInformation,LdrInitializeThunk,14_2_03D69860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69FE0 NtCreateMutant,LdrInitializeThunk,14_2_03D69FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69780 NtMapViewOfSection,LdrInitializeThunk,14_2_03D69780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69710 NtQueryInformationToken,LdrInitializeThunk,14_2_03D69710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D696D0 NtCreateKey,LdrInitializeThunk,14_2_03D696D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D696E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_03D696E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69650 NtQueryValueKey,LdrInitializeThunk,14_2_03D69650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_03D69660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D695D0 NtClose,LdrInitializeThunk,14_2_03D695D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69540 NtReadFile,LdrInitializeThunk,14_2_03D69540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D6A3B0 NtGetContextThread,14_2_03D6A3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69B00 NtSetValueKey,14_2_03D69B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69A80 NtOpenDirectoryObject,14_2_03D69A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69A10 NtQuerySection,14_2_03D69A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69A00 NtProtectVirtualMemory,14_2_03D69A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69A20 NtResumeThread,14_2_03D69A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D699D0 NtCreateProcessEx,14_2_03D699D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69950 NtQueueApcThread,14_2_03D69950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D698F0 NtReadVirtualMemory,14_2_03D698F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D698A0 NtWriteVirtualMemory,14_2_03D698A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D6B040 NtSuspendThread,14_2_03D6B040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69820 NtEnumerateKey,14_2_03D69820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D697A0 NtUnmapViewOfSection,14_2_03D697A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D6A770 NtOpenThread,14_2_03D6A770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69770 NtSetInformationFile,14_2_03D69770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69760 NtOpenProcess,14_2_03D69760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D6A710 NtOpenProcessToken,14_2_03D6A710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69730 NtQueryVirtualMemory,14_2_03D69730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69670 NtQueryInformationProcess,14_2_03D69670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69610 NtEnumerateValueKey,14_2_03D69610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D695F0 NtQueryInformationFile,14_2_03D695F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69560 NtWriteFile,14_2_03D69560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D6AD30 NtSetContextThread,14_2_03D6AD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D69520 NtWaitForSingleObject,14_2_03D69520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FB79B0 NtCreateFile,14_2_00FB79B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FB7AE0 NtClose,14_2_00FB7AE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FB7A60 NtReadFile,14_2_00FB7A60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FB7B90 NtAllocateVirtualMemory,14_2_00FB7B90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FB7ADA NtClose,14_2_00FB7ADA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FB7A5B NtReadFile,14_2_00FB7A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FB7B8A NtAllocateVirtualMemory,14_2_00FB7B8A
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041B8821_2_0041B882
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00408A401_2_00408A40
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_004012081_2_00401208
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00408A3C1_2_00408A3C
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041BA921_2_0041BA92
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00419AB41_2_00419AB4
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041B3071_2_0041B307
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041AF341_2_0041AF34
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DE03DA14_2_03DE03DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DEDBD214_2_03DEDBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D5EBB014_2_03D5EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D4AB4014_2_03D4AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DF2B2814_2_03DF2B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DF22AE14_2_03DF22AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DDFA2B14_2_03DDFA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D499BF14_2_03D499BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D2F90014_2_03D2F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D4412014_2_03D44120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DF28EC14_2_03DF28EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D3B09014_2_03D3B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D520A014_2_03D520A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DF20A814_2_03DF20A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DE100214_2_03DE1002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D4A83014_2_03D4A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DFE82414_2_03DFE824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DFDFCE14_2_03DFDFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DF1FF114_2_03DF1FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DF2EF714_2_03DF2EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DED61614_2_03DED616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D46E3014_2_03D46E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DF25DD14_2_03DF25DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D3D5E014_2_03D3D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D5258114_2_03D52581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DF1D5514_2_03DF1D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DF2D0714_2_03DF2D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D20D2014_2_03D20D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03DED46614_2_03DED466
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D3841F14_2_03D3841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FBB88214_2_00FBB882
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FB9AB414_2_00FB9AB4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FBBA9214_2_00FBBA92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FA8A4014_2_00FA8A40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FA8A3C14_2_00FA8A3C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FBB30714_2_00FBB307
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FA2D9014_2_00FA2D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FA2FB014_2_00FA2FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FBAF3414_2_00FBAF34
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03D2B150 appears 72 times
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 848
          Source: formbook_payload.exeBinary or memory string: OriginalFilename vs formbook_payload.exe
          Source: formbook_payload.exeBinary or memory string: OriginalFilename vs formbook_payload.exe
          Source: formbook_payload.exe, 00000001.00000002.427246415.00000000019BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs formbook_payload.exe
          Source: formbook_payload.exe, 00000001.00000002.425256290.000000000143B000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamesvchost.exej% vs formbook_payload.exe
          Source: formbook_payload.exeBinary or memory string: OriginalFilename vs formbook_payload.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: 00000001.00000002.425066982.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.425066982.0000000001400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.626143852.0000000003840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.626143852.0000000003840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.624774870.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.624774870.0000000000FA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.387153989.0000000003E6C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.387153989.0000000003E6C000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.626184928.0000000003870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.626184928.0000000003870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.424951842.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.424951842.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.424082782.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.424082782.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.formbook_payload.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.formbook_payload.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.formbook_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.formbook_payload.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: formbook_payload.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: formbook_payload.exe, eddbaaaaa.eddbaaaaa/dfaadabef.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: formbook_payload.exe, eddbaaaaa.eddbaaaaa/cdcdabaeead.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: formbook_payload.exe, eddbaaaaa.My/bbfaddfadffaadedceabdabbbce.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: formbook_payload.exe, eddbaaaaa.eddbaaaaa/ceaafdbadafbbaebadfdbbaaaafce.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: formbook_payload.exe, eddbaaaaa.My/fafbdfefdef.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: formbook_payload.exe, eddbaaaaa.eddbaaaaa/ccdcbcdfaabeeddaacecbaa.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@14/9
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_01
          Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2452
          Source: C:\Windows\SysWOW64\WerFault.exeFile created: C:\ProgramData\Microsoft\Windows\WER\Temp\WER2FD7.tmpJump to behavior
          Source: formbook_payload.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\formbook_payload.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeFile read: C:\Users\user\Desktop\formbook_payload.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\formbook_payload.exe 'C:\Users\user\Desktop\formbook_payload.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\formbook_payload.exe C:\Users\user\Desktop\formbook_payload.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 848
          Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\formbook_payload.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess created: C:\Users\user\Desktop\formbook_payload.exe C:\Users\user\Desktop\formbook_payload.exeJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exeJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\formbook_payload.exe'Jump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: formbook_payload.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: formbook_payload.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: k0C:\Windows\mscorlib.pdb source: formbook_payload.exe, 00000000.00000002.385926824.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: System.Core.ni.pdbRSDSD source: WER2FD7.tmp.dmp.5.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.380203742.0000000006600000.00000002.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdbx source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp
          Source: Binary string: wkernel32.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: Binary string: sechost.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdbRSDS source: WER2FD7.tmp.dmp.5.dr
          Source: Binary string: mscorlib.pdbx source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp
          Source: Binary string: msvcrt.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: formbook_payload.exe, 00000001.00000002.425799312.0000000001710000.00000040.00000001.sdmp, svchost.exe, 0000000E.00000002.626355770.0000000003D00000.00000040.00000001.sdmp
          Source: Binary string: wrpcrt4.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: formbook_payload.exe, 00000001.00000002.425799312.0000000001710000.00000040.00000001.sdmp, WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp, svchost.exe
          Source: Binary string: mscorlib.ni.pdbRSDS source: WER2FD7.tmp.dmp.5.dr
          Source: Binary string: .pdb+ source: formbook_payload.exe, 00000000.00000002.385926824.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: svchost.pdb source: formbook_payload.exe, 00000001.00000002.425157959.0000000001430000.00000040.00000001.sdmp
          Source: Binary string: svchost.pdbUGP source: formbook_payload.exe, 00000001.00000002.425157959.0000000001430000.00000040.00000001.sdmp
          Source: Binary string: advapi32.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: Binary string: wsspicli.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: Binary string: System.pdb source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp, WER2FD7.tmp.dmp.5.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.380203742.0000000006600000.00000002.00000001.sdmp
          Source: Binary string: Microsoft.VisualBasic.pdb source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp, WER2FD7.tmp.dmp.5.dr
          Source: Binary string: System.Core.ni.pdb source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp, WER2FD7.tmp.dmp.5.dr
          Source: Binary string: mscorlib.ni.pdbx source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp
          Source: Binary string: System.Windows.Forms.pdb source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp, WER2FD7.tmp.dmp.5.dr
          Source: Binary string: mscorlib.pdb source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp, WER2FD7.tmp.dmp.5.dr
          Source: Binary string: cryptbase.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: Binary string: System.Core.pdbx source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp
          Source: Binary string: wkernelbase.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: Binary string: mscorlib.ni.pdb source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp, WER2FD7.tmp.dmp.5.dr
          Source: Binary string: System.Core.pdb source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp, WER2FD7.tmp.dmp.5.dr
          Source: Binary string: System.Windows.Forms.pdbx source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\user\Desktop\formbook_payload.PDB source: formbook_payload.exe, 00000000.00000002.385926824.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: apphelp.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: Binary string: formbook_payload.PDB source: formbook_payload.exe, 00000000.00000002.385926824.0000000000EF9000.00000004.00000010.sdmp
          Source: Binary string: System.ni.pdbT3 source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp
          Source: Binary string: System.ni.pdb source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp, WER2FD7.tmp.dmp.5.dr
          Source: Binary string: System.pdbx source: WerFault.exe, 00000005.00000002.385092383.0000000004C80000.00000004.00000001.sdmp
          Source: Binary string: mscoree.pdb source: WerFault.exe, 00000005.00000003.373355464.00000000049B1000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 0_2_00AAE37F push cs; iretd 0_2_00AAE616
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 0_2_00AAE650 push cs; ret 0_2_00AAE690
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 0_2_00AAB416 push es; ret 0_2_00AAB4BE
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041B882 push dword ptr [5B129385h]; ret 1_2_0041AF33
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041B9CF push dword ptr [5B129385h]; ret 1_2_0041AF33
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00414995 push ds; retf 1_2_00414998
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041BA86 push edi; ret 1_2_0041BA88
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041BA92 push dword ptr [5B129385h]; ret 1_2_0041AF33
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041AB75 push eax; ret 1_2_0041ABC8
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041B307 push dword ptr [5B129385h]; ret 1_2_0041AF33
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041ABC2 push eax; ret 1_2_0041ABC8
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041ABCB push eax; ret 1_2_0041AC32
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041AC5A push dword ptr [5B129385h]; ret 1_2_0041AF33
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041AC66 push dword ptr [5B129385h]; ret 1_2_0041AF33
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041AC2C push eax; ret 1_2_0041AC32
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00414CF8 push B9E00431h; ret 1_2_00414CFD
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00414E4B pushad ; ret 1_2_00414E4E
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041AF34 push dword ptr [5B129385h]; ret 1_2_0041AF33
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041473D push ebx; retf 1_2_00414766
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_0041473D push ecx; iretd 1_2_004147DB
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_004147FB push edi; retf 1_2_004147FC
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00D4E37F push cs; iretd 1_2_00D4E616
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00D4B416 push es; ret 1_2_00D4B4BE
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00D4E650 push cs; ret 1_2_00D4E690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_03D7D0D1 push ecx; ret 14_2_03D7D0E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FBB882 push dword ptr [5B129385h]; ret 14_2_00FBAF33
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FB4995 push ds; retf 14_2_00FB4998
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FBBA92 push dword ptr [5B129385h]; ret 14_2_00FBAF33
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FBBA86 push edi; ret 14_2_00FBBA88
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FBABCB push eax; ret 14_2_00FBAC32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 14_2_00FBABC2 push eax; ret 14_2_00FBABC8
          Source: initial sampleStatic PE information: section name: .text entropy: 7.64551081555
          Source: C:\Windows\SysWOW64\WerFault.exeKey value created or modified: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Immersive\production\Token\{67082621-8D18-4333-9C64-10DE93676363} DeviceTicketJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\formbook_payload.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\formbook_payload.exeRDTSC instruction interceptor: First address: 00000000004083D4 second address: 00000000004083DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\formbook_payload.exeRDTSC instruction interceptor: First address: 000000000040875E second address: 0000000000408764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000FA83D4 second address: 0000000000FA83DA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000000FA875E second address: 0000000000FA8764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\formbook_payload.exeCode function: 1_2_00408690 rdtsc 1_2_00408690
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 8.0 %
          Source: C:\Windows\explorer.exe TID: 5688Thread sleep time: -45000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exe TID: 412Thread sleep time: -65000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeFile opened: PhysicalDrive0Jump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000004.00000000.382479372.0000000007BBC000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000004.00000000.382622088.0000000007C3C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00$
          Source: explorer.exe, 00000004.00000000.383438372.0000000007F40000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.384213962.0000000004720000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000004.00000000.382389517.0000000007B29000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000004.00000003.553405764.000000000E307000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{
          Source: explorer.exe, 00000004.00000000.382622088.0000000007C3C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0s_
          Source: explorer.exe, 00000004.00000002.635444308.00000000044F7000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lo
          Source: WerFault.exe, 00000005.00000003.381901212.0000000004621000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: explorer.exe, 00000004.00000000.382479372.0000000007BBC000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000004.00000000.382389517.0000000007B29000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}T7
          Source: explorer.exe, 00000004.00000000.383438372.0000000007F40000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.384213962.0000000004720000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000004.00000000.383438372.0000000007F40000.00000002.00000001.sdmp, WerFault.exe, 00000005.00000002.384213962.0000000004720000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000004.0000000