Loading ...

Play interactive tourEdit tour

Analysis Report yeni sipari#U015f.exe

Overview

General Information

Sample Name:yeni sipari#U015f.exe
Analysis ID:299276
MD5:293141c98bfbd539cb58ddae26eef5e7
SHA1:44f51770124f574e6d061812f4a9400411d0d6a7
SHA256:fc6c24e17bd06e27dcc1ac019e4080d4a1a2f10459f74c17b9bb19fb8ba6e442
Tags:exegeoTUR

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • yeni sipari#U015f.exe (PID: 6688 cmdline: 'C:\Users\user\Desktop\yeni sipari#U015f.exe' MD5: 293141C98BFBD539CB58DDAE26EEF5E7)
    • schtasks.exe (PID: 7108 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NHwOyunjpl' /XML 'C:\Users\user\AppData\Local\Temp\tmpF9F8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6936 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 6876 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 6668 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.689933968.0000000000B20000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.689933968.0000000000B20000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.689933968.0000000000B20000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.661929491.000000000338B000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000001.00000002.662227304.0000000004339000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 16 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18409:$sqlite3step: 68 34 1C 7B E1
          • 0x1851c:$sqlite3step: 68 34 1C 7B E1
          • 0x18438:$sqlite3text: 68 38 2A 90 C5
          • 0x1855d:$sqlite3text: 68 38 2A 90 C5
          • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
          5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            5.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NHwOyunjpl' /XML 'C:\Users\user\AppData\Local\Temp\tmpF9F8.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NHwOyunjpl' /XML 'C:\Users\user\AppData\Local\Temp\tmpF9F8.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\yeni sipari#U015f.exe' , ParentImage: C:\Users\user\Desktop\yeni sipari#U015f.exe, ParentProcessId: 6688, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NHwOyunjpl' /XML 'C:\Users\user\AppData\Local\Temp\tmpF9F8.tmp', ProcessId: 7108
            Sigma detected: Suspicious Svchost ProcessShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6876
            Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
            Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3424, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 6876

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\NHwOyunjpl.exeReversingLabs: Detection: 27%
            Multi AV Scanner detection for submitted fileShow sources
            Source: yeni sipari#U015f.exeVirustotal: Detection: 25%Perma Link
            Source: yeni sipari#U015f.exeReversingLabs: Detection: 27%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.689933968.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.662227304.0000000004339000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.917517246.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.689896103.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.917803315.0000000002640000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.689497365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\NHwOyunjpl.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: yeni sipari#U015f.exeJoe Sandbox ML: detected
            Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: global trafficHTTP traffic detected: GET /fs8/?CR=Cp-DpJv&vh=5wkHqKxE5kSrFJfRBUHjGfY+DeqaHK5Af6nbxEGq7VkWT0qC0akpMB+TzDqo2wzrh1pr HTTP/1.1Host: www.craftyfresh.emailConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /fs8/?vh=DsCjhhZg2SULyv6T8TAfETZ0RU1CZLi5j+alsYL0Jg76TzI5Eh6AgRMY0RpM9i2H6ELM&CR=Cp-DpJv HTTP/1.1Host: www.wrightjusticesolicitors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /fs8/?vh=9p35V3Y0QnhPJMAdx1z9xxXt1u9NKj7J5neU3YLkGviBaWhi7GibFKbSWTlziWcdTp+Q&CR=Cp-DpJv HTTP/1.1Host: www.americastandproudagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
            Source: Joe Sandbox ViewIP Address: 208.91.197.39 208.91.197.39
            Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
            Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: C:\Windows\explorer.exeCode function: 6_2_04DDD7A2 getaddrinfo,setsockopt,recv,6_2_04DDD7A2
            Source: global trafficHTTP traffic detected: GET /fs8/?CR=Cp-DpJv&vh=5wkHqKxE5kSrFJfRBUHjGfY+DeqaHK5Af6nbxEGq7VkWT0qC0akpMB+TzDqo2wzrh1pr HTTP/1.1Host: www.craftyfresh.emailConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /fs8/?vh=DsCjhhZg2SULyv6T8TAfETZ0RU1CZLi5j+alsYL0Jg76TzI5Eh6AgRMY0RpM9i2H6ELM&CR=Cp-DpJv HTTP/1.1Host: www.wrightjusticesolicitors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /fs8/?vh=9p35V3Y0QnhPJMAdx1z9xxXt1u9NKj7J5neU3YLkGviBaWhi7GibFKbSWTlziWcdTp+Q&CR=Cp-DpJv HTTP/1.1Host: www.americastandproudagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.craftyfresh.email
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://customersupport.networksolutions.com/article.php?id=306
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/7985/logo.png
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/8934/frt_arr.jpg)
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/7985/headerstrip.gif)
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/8934/rcomlogo.jpg
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.2
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/7985/netsol-logos.jpg
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/8932/arrows.jpg)
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/8934/srch-bg.gif)
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/7417/png.js
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/8934/lst_arr.jpg)
            Source: yeni sipari#U015f.exe, 00000001.00000002.661867649.0000000003331000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000006.00000002.918975493.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.Americastandproudagain.com
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/10_Best_Mutual_Funds.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKiH67
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/All_Inclusive_Vacation_Packages.cfm?fp=J9mk45gs6GozJtq%2BMeyjV
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/Anti_Wrinkle_Creams.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKiH675
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/Contact_Lens.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKiH6755LNO979
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/Credit_Card_Application.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKi
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/Healthy_Weight_Loss.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKiH675
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/Migraine_Pain_Relief.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKiH67
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/Parental_Control.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKiH6755LN
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/__media__/js/trademark.php?d=americastandproudagain.com&type=d
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/display.cfm
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/fashion_trends.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKiH6755LNO9
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/find_a_tutor.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKiH6755LNO979
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/fs8/?vh=9p35V3Y0QnhPJMAdx1z9xxXt1u9NKj7J5neU3YLkGviBaWhi7GibFK
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/music_videos.cfm?fp=J9mk45gs6GozJtq%2BMeyjVZzZHHIKiH6755LNO979
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/px.js?ch=1
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/px.js?ch=2
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.americastandproudagain.com/sk-logabpstatus.php?a=RTBTRDVkMkNJNEtvTzh1ejdFS25DWTZyTmZObExB
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.networksolutions.com/
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.networksolutions.com/legal/legal-notice.jsp
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.networksolutions.com/legal/static-service-agreement.jsp
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.register.com/?trkID=WSTm3u15CW
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: http://www.register.com?trkID=WSTm3u15CW
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000006.00000000.676048352.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: svchost.exe, 00000007.00000002.918732603.0000000003A1F000.00000004.00000001.sdmpString found in binary or memory: https://www.register.com/whois.rcmx?domainName=Americastandproudagain.com

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.689933968.0000000000B20000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.662227304.0000000004339000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.917517246.00000000002F0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.689896103.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.917803315.0000000002640000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.689497365.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000005.00000002.689933968.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.689933968.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.662227304.0000000004339000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.662227304.0000000004339000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.917517246.00000000002F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.917517246.00000000002F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.689896103.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.689896103.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.917803315.0000000002640000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.917803315.0000000002640000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.689497365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.689497365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A050 NtClose,5_2_0041A050
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A100 NtAllocateVirtualMemory,5_2_0041A100
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419F20 NtCreateFile,5_2_00419F20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419FD0 NtReadFile,5_2_00419FD0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A04A NtClose,5_2_0041A04A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A01A NtReadFile,5_2_0041A01A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041A0FA NtAllocateVirtualMemory,5_2_0041A0FA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419FCC NtReadFile,5_2_00419FCC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_01089910
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010899A0 NtCreateSection,LdrInitializeThunk,5_2_010899A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089840 NtDelayExecution,LdrInitializeThunk,5_2_01089840
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089860 NtQuerySystemInformation,LdrInitializeThunk,5_2_01089860
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010898F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_010898F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_01089A00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089A20 NtResumeThread,LdrInitializeThunk,5_2_01089A20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089A50 NtCreateFile,LdrInitializeThunk,5_2_01089A50
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089540 NtReadFile,LdrInitializeThunk,5_2_01089540
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010895D0 NtClose,LdrInitializeThunk,5_2_010895D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089710 NtQueryInformationToken,LdrInitializeThunk,5_2_01089710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089780 NtMapViewOfSection,LdrInitializeThunk,5_2_01089780
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010897A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_010897A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_01089660
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010896E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_010896E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089950 NtQueueApcThread,5_2_01089950
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010899D0 NtCreateProcessEx,5_2_010899D0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089820 NtEnumerateKey,5_2_01089820
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0108B040 NtSuspendThread,5_2_0108B040
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010898A0 NtWriteVirtualMemory,5_2_010898A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089B00 NtSetValueKey,5_2_01089B00
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0108A3B0 NtGetContextThread,5_2_0108A3B0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089A10 NtQuerySection,5_2_01089A10
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089A80 NtOpenDirectoryObject,5_2_01089A80
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089520 NtWaitForSingleObject,5_2_01089520
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0108AD30 NtSetContextThread,5_2_0108AD30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089560 NtWriteFile,5_2_01089560
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010895F0 NtQueryInformationFile,5_2_010895F0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0108A710 NtOpenProcessToken,5_2_0108A710
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089730 NtQueryVirtualMemory,5_2_01089730
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089760 NtOpenProcess,5_2_01089760
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089770 NtSetInformationFile,5_2_01089770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0108A770 NtOpenThread,5_2_0108A770
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089FE0 NtCreateMutant,5_2_01089FE0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089610 NtEnumerateValueKey,5_2_01089610
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089650 NtQueryValueKey,5_2_01089650
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01089670 NtQueryInformationProcess,5_2_01089670
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010896D0 NtCreateKey,5_2_010896D0
            Source: C:\Windows\explorer.exeCode function: 6_2_04DDCA52 NtCreateFile,6_2_04DDCA52
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069A50 NtCreateFile,LdrInitializeThunk,7_2_03069A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_03069910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030699A0 NtCreateSection,LdrInitializeThunk,7_2_030699A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069840 NtDelayExecution,LdrInitializeThunk,7_2_03069840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069860 NtQuerySystemInformation,LdrInitializeThunk,7_2_03069860
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069710 NtQueryInformationToken,LdrInitializeThunk,7_2_03069710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069780 NtMapViewOfSection,LdrInitializeThunk,7_2_03069780
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069FE0 NtCreateMutant,LdrInitializeThunk,7_2_03069FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069650 NtQueryValueKey,LdrInitializeThunk,7_2_03069650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_03069660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030696D0 NtCreateKey,LdrInitializeThunk,7_2_030696D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030696E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_030696E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069540 NtReadFile,LdrInitializeThunk,7_2_03069540
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030695D0 NtClose,LdrInitializeThunk,7_2_030695D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069B00 NtSetValueKey,7_2_03069B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0306A3B0 NtGetContextThread,7_2_0306A3B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069A00 NtProtectVirtualMemory,7_2_03069A00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069A10 NtQuerySection,7_2_03069A10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069A20 NtResumeThread,7_2_03069A20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069A80 NtOpenDirectoryObject,7_2_03069A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069950 NtQueueApcThread,7_2_03069950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030699D0 NtCreateProcessEx,7_2_030699D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069820 NtEnumerateKey,7_2_03069820
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0306B040 NtSuspendThread,7_2_0306B040
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030698A0 NtWriteVirtualMemory,7_2_030698A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030698F0 NtReadVirtualMemory,7_2_030698F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0306A710 NtOpenProcessToken,7_2_0306A710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069730 NtQueryVirtualMemory,7_2_03069730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069760 NtOpenProcess,7_2_03069760
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0306A770 NtOpenThread,7_2_0306A770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069770 NtSetInformationFile,7_2_03069770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030697A0 NtUnmapViewOfSection,7_2_030697A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069610 NtEnumerateValueKey,7_2_03069610
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069670 NtQueryInformationProcess,7_2_03069670
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069520 NtWaitForSingleObject,7_2_03069520
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0306AD30 NtSetContextThread,7_2_0306AD30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03069560 NtWriteFile,7_2_03069560
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030695F0 NtQueryInformationFile,7_2_030695F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265A050 NtClose,7_2_0265A050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265A100 NtAllocateVirtualMemory,7_2_0265A100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02659F20 NtCreateFile,7_2_02659F20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02659FD0 NtReadFile,7_2_02659FD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265A04A NtClose,7_2_0265A04A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265A01A NtReadFile,7_2_0265A01A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265A0FA NtAllocateVirtualMemory,7_2_0265A0FA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02659FCC NtReadFile,7_2_02659FCC
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeCode function: 1_2_0662B1F81_2_0662B1F8
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeCode function: 1_2_066200401_2_06620040
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeCode function: 1_2_066200061_2_06620006
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeCode function: 1_2_066255E81_2_066255E8
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeCode function: 1_2_0662B1E81_2_0662B1E8
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeCode function: 1_2_066255F81_2_066255F8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004010305_2_00401030
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D1635_2_0041D163
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D1665_2_0041D166
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D9B95_2_0041D9B9
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041DB4B5_2_0041DB4B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041DC865_2_0041DC86
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402D8A5_2_00402D8A
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402D905_2_00402D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409E2B5_2_00409E2B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409E305_2_00409E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402FB05_2_00402FB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0104F9005_2_0104F900
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010641205_2_01064120
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_011010025_2_01101002
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0105B0905_2_0105B090
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010720A05_2_010720A0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_011120A85_2_011120A8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_011128EC5_2_011128EC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01112B285_2_01112B28
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0107EBB05_2_0107EBB0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0110DBD25_2_0110DBD2
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_011122AE5_2_011122AE
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01112D075_2_01112D07
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01040D205_2_01040D20
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01111D555_2_01111D55
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_010725815_2_01072581
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_011125DD5_2_011125DD
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0105D5E05_2_0105D5E0
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0105841F5_2_0105841F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0110D4665_2_0110D466
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01111FF15_2_01111FF1
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0110D6165_2_0110D616
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01066E305_2_01066E30
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_01112EF75_2_01112EF7
            Source: C:\Windows\explorer.exeCode function: 6_2_04DDCA526_2_04DDCA52
            Source: C:\Windows\explorer.exeCode function: 6_2_04DD4CF26_2_04DD4CF2
            Source: C:\Windows\explorer.exeCode function: 6_2_04DD4CE96_2_04DD4CE9
            Source: C:\Windows\explorer.exeCode function: 6_2_04DDB8826_2_04DDB882
            Source: C:\Windows\explorer.exeCode function: 6_2_04DD30726_2_04DD3072
            Source: C:\Windows\explorer.exeCode function: 6_2_04DD30696_2_04DD3069
            Source: C:\Windows\explorer.exeCode function: 6_2_04DDFA0C6_2_04DDFA0C
            Source: C:\Windows\explorer.exeCode function: 6_2_04DDA1526_2_04DDA152
            Source: C:\Windows\explorer.exeCode function: 6_2_04DD7B1F6_2_04DD7B1F
            Source: C:\Windows\explorer.exeCode function: 6_2_04DD7B226_2_04DD7B22
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030F2B287_2_030F2B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0304AB407_2_0304AB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0305EBB07_2_0305EBB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030E03DA7_2_030E03DA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030EDBD27_2_030EDBD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030DFA2B7_2_030DFA2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030F22AE7_2_030F22AE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0302F9007_2_0302F900
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030441207_2_03044120
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030E10027_2_030E1002
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030FE8247_2_030FE824
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0304A8307_2_0304A830
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0303B0907_2_0303B090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030520A07_2_030520A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030F20A87_2_030F20A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030F28EC7_2_030F28EC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030FDFCE7_2_030FDFCE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030F1FF17_2_030F1FF1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030ED6167_2_030ED616
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03046E307_2_03046E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030F2EF77_2_030F2EF7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030F2D077_2_030F2D07
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03020D207_2_03020D20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030F1D557_2_030F1D55
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030525817_2_03052581
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030F25DD7_2_030F25DD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0303D5E07_2_0303D5E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0303841F7_2_0303841F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_030ED4667_2_030ED466
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265DB487_2_0265DB48
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265D1667_2_0265D166
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265D1637_2_0265D163
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02649E2B7_2_02649E2B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02649E307_2_02649E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02642FB07_2_02642FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02642D8A7_2_02642D8A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02642D907_2_02642D90
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 0104B150 appears 35 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B150 appears 54 times
            Source: yeni sipari#U015f.exe, 00000001.00000002.661929491.000000000338B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs yeni sipari#U015f.exe
            Source: yeni sipari#U015f.exe, 00000001.00000002.665975636.0000000006DF0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs yeni sipari#U015f.exe
            Source: yeni sipari#U015f.exe, 00000001.00000002.665975636.0000000006DF0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs yeni sipari#U015f.exe
            Source: yeni sipari#U015f.exe, 00000001.00000002.665694709.0000000006630000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaLiu.exe6 vs yeni sipari#U015f.exe
            Source: yeni sipari#U015f.exe, 00000001.00000002.665508004.00000000064E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs yeni sipari#U015f.exe
            Source: yeni sipari#U015f.exe, 00000001.00000002.665793369.0000000006CF0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs yeni sipari#U015f.exe
            Source: yeni sipari#U015f.exeBinary or memory string: OriginalFilenameaLiu.exe6 vs yeni sipari#U015f.exe
            Source: 00000005.00000002.689933968.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.689933968.0000000000B20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.662227304.0000000004339000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.662227304.0000000004339000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.917517246.00000000002F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.917517246.00000000002F0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.689896103.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.689896103.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.917803315.0000000002640000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.917803315.0000000002640000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.689497365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.689497365.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: yeni sipari#U015f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: NHwOyunjpl.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@3/3
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeFile created: C:\Users\user\AppData\Roaming\NHwOyunjpl.exeJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeMutant created: \Sessions\1\BaseNamedObjects\XfjxDyALJOmcZjAoNXTjwv
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6000:120:WilError_01
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF9F8.tmpJump to behavior
            Source: yeni sipari#U015f.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: yeni sipari#U015f.exeVirustotal: Detection: 25%
            Source: yeni sipari#U015f.exeReversingLabs: Detection: 27%
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeFile read: C:\Users\user\Desktop\yeni sipari#U015f.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\yeni sipari#U015f.exe 'C:\Users\user\Desktop\yeni sipari#U015f.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NHwOyunjpl' /XML 'C:\Users\user\AppData\Local\Temp\tmpF9F8.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NHwOyunjpl' /XML 'C:\Users\user\AppData\Local\Temp\tmpF9F8.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: yeni sipari#U015f.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: yeni sipari#U015f.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.930004372.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: RegSvcs.pdb, source: svchost.exe, 00000007.00000002.917947747.0000000002A12000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.690550192.0000000001020000.00000040.00000001.sdmp, svchost.exe, 00000007.00000003.690872432.0000000002E00000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: RegSvcs.exe, svchost.exe
            Source: Binary string: RegSvcs.pdb source: svchost.exe, 00000007.00000002.917947747.0000000002A12000.00000004.00000001.sdmp
            Source: Binary string: svchost.pdb source: RegSvcs.exe, 00000005.00000002.690141768.0000000000BE9000.00000004.00000020.sdmp
            Source: Binary string: svchost.pdbUGP source: RegSvcs.exe, 00000005.00000002.690141768.0000000000BE9000.00000004.00000020.sdmp
            Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.930004372.0000000005A00000.00000002.00000001.sdmp
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeCode function: 1_2_06624BDE push es; iretd 1_2_06624BFC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D075 push eax; ret 5_2_0041D0C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0040E829 push ss; ret 5_2_0040E82B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D0C2 push eax; ret 5_2_0041D0C8
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D0CB push eax; ret 5_2_0041D132
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041D12C push eax; ret 5_2_0041D132
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041719A push ebp; ret 5_2_0041719B
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00416B67 push FFFFFF90h; ret 5_2_00416B76
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00403BC4 push es; iretd 5_2_00403BCA
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00416C7A push ebp; retf 5_2_00416C85
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041BCAA push ecx; retf 5_2_0041BCAC
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00406E46 push eax; iretd 5_2_00406E4F
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00416690 push es; iretd 5_2_00416691
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00416757 push ebx; retf 5_2_00416758
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0109D0D1 push ecx; ret 5_2_0109D0E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0307D0D1 push ecx; ret 7_2_0307D0E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02656B67 push FFFFFF90h; ret 7_2_02656B76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02643BC4 push es; iretd 7_2_02643BCA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265D075 push eax; ret 7_2_0265D0C8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0264E829 push ss; ret 7_2_0264E82B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265D0C2 push eax; ret 7_2_0265D0C8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265D0CB push eax; ret 7_2_0265D132
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265D12C push eax; ret 7_2_0265D132
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265719A push ebp; ret 7_2_0265719B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02646E46 push eax; iretd 7_2_02646E4F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02656690 push es; iretd 7_2_02656691
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02656757 push ebx; retf 7_2_02656758
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_02656C7A push ebp; retf 7_2_02656C85
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0265BCAA push ecx; retf 7_2_0265BCAC
            Source: initial sampleStatic PE information: section name: .text entropy: 7.59519884483
            Source: initial sampleStatic PE information: section name: .text entropy: 7.59519884483
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeFile created: C:\Users\user\AppData\Roaming\NHwOyunjpl.exeJump to dropped file

            Boot Survival:

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\NHwOyunjpl' /XML 'C:\Users\user\AppData\Local\Temp\tmpF9F8.tmp'

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE5
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000001.00000002.661929491.000000000338B000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.661867649.0000000003331000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: yeni sipari#U015f.exe PID: 6688, type: MEMORY
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: yeni sipari#U015f.exe, 00000001.00000002.661929491.000000000338B000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Source: yeni sipari#U015f.exe, 00000001.00000002.661929491.000000000338B000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 00000000026498E4 second address: 00000000026498EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002649B4E second address: 0000000002649B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
            Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409A80 rdtsc 5_2_00409A80
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exe TID: 6660Thread sleep time: -49787s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exe TID: 6940Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 6240Thread sleep count: 41 > 30Jump to behavior
            Source: C:\Windows\explorer.exe TID: 6240Thread sleep time: -82000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exe TID: 1256Thread sleep time: -48000s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: yeni sipari#U015f.exe, 00000001.00000002.661929491.000000000338B000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000006.00000000.674663184.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.670562001.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: yeni sipari#U015f.exe, 00000001.00000002.661929491.000000000338B000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: yeni sipari#U015f.exe, 00000001.00000002.661929491.000000000338B000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
            Source: explorer.exe, 00000006.00000000.671168461.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.674663184.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000006.00000000.668221590.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
            Source: explorer.exe, 00000006.00000000.674756936.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
            Source: explorer.exe, 00000006.00000000.670562001.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000006.00000000.670562001.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: explorer.exe, 00000006.00000000.674803048.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
            Source: yeni sipari#U015f.exe, 00000001.00000002.661929491.000000000338B000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000006.00000000.670562001.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\yeni sipari#U015f.exeProcess information queried: ProcessInformationJump to behavior