Loading ...

Play interactive tourEdit tour

Analysis Report BANK ACCOUNT INFO!.exe

Overview

General Information

Sample Name:BANK ACCOUNT INFO!.exe
Analysis ID:321134
MD5:0bd3e9073a968fd6c10c3b163302c2c9
SHA1:f0b948a18e960b1e5141471fe6e1cb4e85a2867d
SHA256:dde122ac5a5a8eb786e335b3278dc5aae9cd3635c889fc4eb641a7a69123954d
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BANK ACCOUNT INFO!.exe (PID: 5264 cmdline: 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe' MD5: 0BD3E9073A968FD6C10C3B163302C2C9)
    • BANK ACCOUNT INFO!.exe (PID: 1708 cmdline: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe MD5: 0BD3E9073A968FD6C10C3B163302C2C9)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • wscript.exe (PID: 5884 cmdline: C:\Windows\SysWOW64\wscript.exe MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • cmd.exe (PID: 3216 cmdline: /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.BANK ACCOUNT INFO!.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.BANK ACCOUNT INFO!.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a6e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b6ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.BANK ACCOUNT INFO!.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.meatslasvegas.com/sbmh/Avira URL Cloud: Label: malware
          Source: http://www.meatslasvegas.com/sbmh/www.salon-massage-linit.comAvira URL Cloud: Label: malware
          Source: http://www.meatslasvegas.comAvira URL Cloud: Label: malware
          Multi AV Scanner detection for submitted fileShow sources
          Source: BANK ACCOUNT INFO!.exeVirustotal: Detection: 21%Perma Link
          Source: BANK ACCOUNT INFO!.exeReversingLabs: Detection: 10%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: BANK ACCOUNT INFO!.exeJoe Sandbox ML: detected
          Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: global trafficHTTP traffic detected: GET /sbmh/?FPWlMXx=PcjUtjh0MRWP8BRvWG8NuUt69AEkHHHW5P4XnB/f7cjpZcBvzWU1+UolGZvfCul1Hwqj&AlO=O2JtmTIX2 HTTP/1.1Host: www.ablehead.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2 HTTP/1.1Host: www.katrinarask.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2 HTTP/1.1Host: www.wellnysdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.49.23.141 198.49.23.141
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: global trafficHTTP traffic detected: GET /sbmh/?FPWlMXx=PcjUtjh0MRWP8BRvWG8NuUt69AEkHHHW5P4XnB/f7cjpZcBvzWU1+UolGZvfCul1Hwqj&AlO=O2JtmTIX2 HTTP/1.1Host: www.ablehead.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sbmh/?FPWlMXx=W647QVGGXcyuIQJd2YRsV4l3KrBdlR6nE0kWwxhnTOMt1o1EWv0jVtfUgI2cf5E+EjKE&AlO=O2JtmTIX2 HTTP/1.1Host: www.katrinarask.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sbmh/?FPWlMXx=+2tIfJwwghXNm+fysv8+EMC6xMyDXIpTEsDIQwPK5FpH6PGBMSGX6HHqgPLM/DeZI3NR&AlO=O2JtmTIX2 HTTP/1.1Host: www.wellnysdirect.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.friendlyksa.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 20 Nov 2020 11:02:06 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 62 6d 68 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /sbmh/ was not found on this server.</p></body></html>
          Source: explorer.exe, 00000002.00000003.295037272.000000000F541000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000002.00000000.229795137.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.m
          Source: explorer.exe, 00000002.00000000.229795137.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.micr
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.213965097.00000000028B1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.ablehead.net
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.ablehead.net/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.ablehead.net/sbmh/www.katrinarask.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.ablehead.netReferer:
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.downrangedynamics.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.downrangedynamics.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.downrangedynamics.com/sbmh/www.meatslasvegas.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.downrangedynamics.comReferer:
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.elegancerealestategroup.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.elegancerealestategroup.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.elegancerealestategroup.com/sbmh/www.hoy.viajes
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.elegancerealestategroup.comReferer:
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.endlessgirls.online
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.endlessgirls.online/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.endlessgirls.online/sbmh/www.makgxoimisitzer.info
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.endlessgirls.onlineReferer:
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.exposingsecrets.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.exposingsecrets.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.exposingsecrets.com/sbmh/www.parking500.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.exposingsecrets.comReferer:
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.faculdadegraca.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.faculdadegraca.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.faculdadegraca.com/sbmh/www.magentos6.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.faculdadegraca.comReferer:
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.firedoom.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.firedoom.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.firedoom.com/sbmh/www.endlessgirls.online
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.firedoom.comReferer:
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.friendlyksa.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.friendlyksa.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.friendlyksa.com/sbmh/www.ablehead.net
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.friendlyksa.comReferer:
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.hoy.viajes
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.hoy.viajes/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.hoy.viajes/sbmh/www.firedoom.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.hoy.viajesReferer:
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.katrinarask.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.katrinarask.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.katrinarask.com/sbmh/www.wellnysdirect.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.katrinarask.comReferer:
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.magentos6.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.magentos6.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.magentos6.com/sbmh/www.elegancerealestategroup.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.magentos6.comReferer:
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.makgxoimisitzer.info
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.makgxoimisitzer.info/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.makgxoimisitzer.info/sbmh/www.downrangedynamics.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.makgxoimisitzer.infoReferer:
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.meatslasvegas.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.meatslasvegas.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.meatslasvegas.com/sbmh/www.salon-massage-linit.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.meatslasvegas.comReferer:
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.parking500.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.parking500.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.parking500.com/sbmh/www.faculdadegraca.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.parking500.comReferer:
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.salon-massage-linit.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.salon-massage-linit.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.salon-massage-linit.com/sbmh/N
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.salon-massage-linit.comReferer:
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.wellnysdirect.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.wellnysdirect.com/sbmh/
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.wellnysdirect.com/sbmh/www.exposingsecrets.com
          Source: explorer.exe, 00000002.00000003.295296507.00000000089CA000.00000004.00000001.sdmpString found in binary or memory: http://www.wellnysdirect.comReferer:
          Source: explorer.exe, 00000002.00000000.229950600.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: wscript.exe, 00000004.00000002.479367974.000000000546F000.00000004.00000001.sdmpString found in binary or memory: https://www.wellnysdirect.com/sbmh/?FPWlMXx=

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041A050 NtClose,1_2_0041A050
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041A100 NtAllocateVirtualMemory,1_2_0041A100
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00419F20 NtCreateFile,1_2_00419F20
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00419FD0 NtReadFile,1_2_00419FD0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00419FCA NtReadFile,1_2_00419FCA
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_014B9910
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B99A0 NtCreateSection,LdrInitializeThunk,1_2_014B99A0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9840 NtDelayExecution,LdrInitializeThunk,1_2_014B9840
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_014B9860
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_014B98F0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9A50 NtCreateFile,LdrInitializeThunk,1_2_014B9A50
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_014B9A00
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9A20 NtResumeThread,LdrInitializeThunk,1_2_014B9A20
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9540 NtReadFile,LdrInitializeThunk,1_2_014B9540
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B95D0 NtClose,LdrInitializeThunk,1_2_014B95D0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9710 NtQueryInformationToken,LdrInitializeThunk,1_2_014B9710
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9780 NtMapViewOfSection,LdrInitializeThunk,1_2_014B9780
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_014B97A0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_014B9660
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_014B96E0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9950 NtQueueApcThread,1_2_014B9950
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B99D0 NtCreateProcessEx,1_2_014B99D0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014BB040 NtSuspendThread,1_2_014BB040
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9820 NtEnumerateKey,1_2_014B9820
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B98A0 NtWriteVirtualMemory,1_2_014B98A0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9B00 NtSetValueKey,1_2_014B9B00
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014BA3B0 NtGetContextThread,1_2_014BA3B0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9A10 NtQuerySection,1_2_014B9A10
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9A80 NtOpenDirectoryObject,1_2_014B9A80
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9560 NtWriteFile,1_2_014B9560
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9520 NtWaitForSingleObject,1_2_014B9520
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014BAD30 NtSetContextThread,1_2_014BAD30
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B95F0 NtQueryInformationFile,1_2_014B95F0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9760 NtOpenProcess,1_2_014B9760
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014BA770 NtOpenThread,1_2_014BA770
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9770 NtSetInformationFile,1_2_014B9770
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014BA710 NtOpenProcessToken,1_2_014BA710
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9730 NtQueryVirtualMemory,1_2_014B9730
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9FE0 NtCreateMutant,1_2_014B9FE0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9650 NtQueryValueKey,1_2_014B9650
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9670 NtQueryInformationProcess,1_2_014B9670
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B9610 NtEnumerateValueKey,1_2_014B9610
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014B96D0 NtCreateKey,1_2_014B96D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB95D0 NtClose,LdrInitializeThunk,4_2_04AB95D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9540 NtReadFile,LdrInitializeThunk,4_2_04AB9540
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_04AB96E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB96D0 NtCreateKey,LdrInitializeThunk,4_2_04AB96D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_04AB9660
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9650 NtQueryValueKey,LdrInitializeThunk,4_2_04AB9650
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9780 NtMapViewOfSection,LdrInitializeThunk,4_2_04AB9780
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9FE0 NtCreateMutant,LdrInitializeThunk,4_2_04AB9FE0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9710 NtQueryInformationToken,LdrInitializeThunk,4_2_04AB9710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_04AB9860
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9840 NtDelayExecution,LdrInitializeThunk,4_2_04AB9840
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB99A0 NtCreateSection,LdrInitializeThunk,4_2_04AB99A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_04AB9910
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9A50 NtCreateFile,LdrInitializeThunk,4_2_04AB9A50
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB95F0 NtQueryInformationFile,4_2_04AB95F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9520 NtWaitForSingleObject,4_2_04AB9520
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04ABAD30 NtSetContextThread,4_2_04ABAD30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9560 NtWriteFile,4_2_04AB9560
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9610 NtEnumerateValueKey,4_2_04AB9610
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9670 NtQueryInformationProcess,4_2_04AB9670
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB97A0 NtUnmapViewOfSection,4_2_04AB97A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9730 NtQueryVirtualMemory,4_2_04AB9730
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04ABA710 NtOpenProcessToken,4_2_04ABA710
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9760 NtOpenProcess,4_2_04AB9760
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04ABA770 NtOpenThread,4_2_04ABA770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9770 NtSetInformationFile,4_2_04AB9770
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB98A0 NtWriteVirtualMemory,4_2_04AB98A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB98F0 NtReadVirtualMemory,4_2_04AB98F0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9820 NtEnumerateKey,4_2_04AB9820
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04ABB040 NtSuspendThread,4_2_04ABB040
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB99D0 NtCreateProcessEx,4_2_04AB99D0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9950 NtQueueApcThread,4_2_04AB9950
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9A80 NtOpenDirectoryObject,4_2_04AB9A80
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9A20 NtResumeThread,4_2_04AB9A20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9A00 NtProtectVirtualMemory,4_2_04AB9A00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9A10 NtQuerySection,4_2_04AB9A10
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04ABA3B0 NtGetContextThread,4_2_04ABA3B0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AB9B00 NtSetValueKey,4_2_04AB9B00
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DA050 NtClose,4_2_005DA050
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DA100 NtAllocateVirtualMemory,4_2_005DA100
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005D9F20 NtCreateFile,4_2_005D9F20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005D9FD0 NtReadFile,4_2_005D9FD0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005D9FCA NtReadFile,4_2_005D9FCA
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 0_2_004820500_2_00482050
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 0_2_00486C640_2_00486C64
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041D8531_2_0041D853
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041D38E1_2_0041D38E
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00402D881_2_00402D88
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041E73A1_2_0041E73A
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_009920501_2_00992050
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00996C641_2_00996C64
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0147F9001_2_0147F900
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014941201_2_01494120
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014999BF1_2_014999BF
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_015310021_2_01531002
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0154E8241_2_0154E824
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0149A8301_2_0149A830
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_015428EC1_2_015428EC
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0148B0901_2_0148B090
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014A20A01_2_014A20A0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_015420A81_2_015420A8
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0149AB401_2_0149AB40
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0151CB4F1_2_0151CB4F
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0149A3091_2_0149A309
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01542B281_2_01542B28
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0153DBD21_2_0153DBD2
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_015303DA1_2_015303DA
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014AABD81_2_014AABD8
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_015223E31_2_015223E3
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014A138B1_2_014A138B
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014AEBB01_2_014AEBB0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0152FA2B1_2_0152FA2B
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0149B2361_2_0149B236
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01534AEF1_2_01534AEF
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_015422AE1_2_015422AE
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01541D551_2_01541D55
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01542D071_2_01542D07
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01470D201_2_01470D20
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_015425DD1_2_015425DD
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0148D5E01_2_0148D5E0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014A25811_2_014A2581
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01532D821_2_01532D82
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0153D4661_2_0153D466
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0149B4771_2_0149B477
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0148841F1_2_0148841F
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_015344961_2_01534496
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0154DFCE1_2_0154DFCE
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01541FF11_2_01541FF1
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0153D6161_2_0153D616
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01496E301_2_01496E30
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01542EF71_2_01542EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B344964_2_04B34496
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A8841F4_2_04A8841F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B3D4664_2_04B3D466
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A9B4774_2_04A9B477
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AA25814_2_04AA2581
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B32D824_2_04B32D82
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A8D5E04_2_04A8D5E0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B425DD4_2_04B425DD
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A70D204_2_04A70D20
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B42D074_2_04B42D07
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B41D554_2_04B41D55
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B21EB64_2_04B21EB6
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B42EF74_2_04B42EF7
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A96E304_2_04A96E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B3D6164_2_04B3D616
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A956004_2_04A95600
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B41FF14_2_04B41FF1
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B4DFCE4_2_04B4DFCE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AA20A04_2_04AA20A0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B420A84_2_04B420A8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A8B0904_2_04A8B090
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B428EC4_2_04B428EC
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B4E8244_2_04B4E824
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A9A8304_2_04A9A830
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B310024_2_04B31002
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A999BF4_2_04A999BF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A941204_2_04A94120
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A7F9004_2_04A7F900
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B422AE4_2_04B422AE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B34AEF4_2_04B34AEF
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B2FA2B4_2_04B2FA2B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A9B2364_2_04A9B236
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AAEBB04_2_04AAEBB0
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AA138B4_2_04AA138B
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A9EB9A4_2_04A9EB9A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B223E34_2_04B223E3
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B3DBD24_2_04B3DBD2
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B303DA4_2_04B303DA
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04AAABD84_2_04AAABD8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B42B284_2_04B42B28
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A9A3094_2_04A9A309
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04A9AB404_2_04A9AB40
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04B1CB4F4_2_04B1CB4F
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DD8534_2_005DD853
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DD8164_2_005DD816
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DD38E4_2_005DD38E
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005C2D904_2_005C2D90
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005C2D884_2_005C2D88
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005C9E304_2_005C9E30
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DE73A4_2_005DE73A
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005C2FB04_2_005C2FB0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: String function: 0147B150 appears 136 times
          Source: C:\Windows\SysWOW64\wscript.exeCode function: String function: 04A7B150 appears 145 times
          Source: BANK ACCOUNT INFO!.exeBinary or memory string: OriginalFilename vs BANK ACCOUNT INFO!.exe
          Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.215904460.0000000005A50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs BANK ACCOUNT INFO!.exe
          Source: BANK ACCOUNT INFO!.exeBinary or memory string: OriginalFilename vs BANK ACCOUNT INFO!.exe
          Source: BANK ACCOUNT INFO!.exe, 00000001.00000002.258458802.000000000156F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs BANK ACCOUNT INFO!.exe
          Source: BANK ACCOUNT INFO!.exe, 00000001.00000002.260642680.0000000003250000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs BANK ACCOUNT INFO!.exe
          Source: BANK ACCOUNT INFO!.exeBinary or memory string: OriginalFilenametymo.exeN vs BANK ACCOUNT INFO!.exe
          Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.475693377.0000000002EF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.258154608.0000000001000000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.475792839.0000000002F20000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.473464239.00000000005C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.257924121.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.258303947.0000000001420000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.214389513.00000000038B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.BANK ACCOUNT INFO!.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: BANK ACCOUNT INFO!.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@4/3
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BANK ACCOUNT INFO!.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2212:120:WilError_01
          Source: BANK ACCOUNT INFO!.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: BANK ACCOUNT INFO!.exeVirustotal: Detection: 21%
          Source: BANK ACCOUNT INFO!.exeReversingLabs: Detection: 10%
          Source: unknownProcess created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess created: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: BANK ACCOUNT INFO!.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: BANK ACCOUNT INFO!.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscript.pdbGCTL source: BANK ACCOUNT INFO!.exe, 00000001.00000002.260642680.0000000003250000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: BANK ACCOUNT INFO!.exe, 00000001.00000002.258458802.000000000156F000.00000040.00000001.sdmp, wscript.exe, 00000004.00000002.476368319.0000000004A50000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: BANK ACCOUNT INFO!.exe, wscript.exe
          Source: Binary string: wscript.pdb source: BANK ACCOUNT INFO!.exe, 00000001.00000002.260642680.0000000003250000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041D075 push eax; ret 1_2_0041D0C8
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041C802 push esi; iretd 1_2_0041C803
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041D0C2 push eax; ret 1_2_0041D0C8
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041D0CB push eax; ret 1_2_0041D132
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041E172 pushfd ; ret 1_2_0041E174
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041D12C push eax; ret 1_2_0041D132
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_004182CC push cs; retf 1_2_004182CE
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041E4F5 push dword ptr [537421FAh]; ret 1_2_0041E515
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00419C92 pushfd ; iretd 1_2_00419C98
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0041674D push 8EAE14C8h; iretd 1_2_00416753
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_004167AE push C6E9D42Ah; ret 1_2_004167C2
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014CD0D1 push ecx; ret 1_2_014CD0E4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_04ACD0D1 push ecx; ret 4_2_04ACD0E4
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DD075 push eax; ret 4_2_005DD0C8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DC802 push esi; iretd 4_2_005DC803
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DD0CB push eax; ret 4_2_005DD132
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DD0C2 push eax; ret 4_2_005DD0C8
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DE172 pushfd ; ret 4_2_005DE174
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DD12C push eax; ret 4_2_005DD132
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005D82CC push cs; retf 4_2_005D82CE
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005DE4F5 push dword ptr [537421FAh]; ret 4_2_005DE515
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005D9C92 pushfd ; iretd 4_2_005D9C98
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005D674D push 8EAE14C8h; iretd 4_2_005D6753
          Source: C:\Windows\SysWOW64\wscript.exeCode function: 4_2_005D67AE push C6E9D42Ah; ret 4_2_005D67C2
          Source: initial sampleStatic PE information: section name: .text entropy: 7.82664888308

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE6
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.213965097.00000000028B1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: BANK ACCOUNT INFO!.exe PID: 5264, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeRDTSC instruction interceptor: First address: 0000000000409B4E second address: 0000000000409B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000005C98E4 second address: 00000000005C98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000005C9B4E second address: 00000000005C9B54 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe TID: 5936Thread sleep time: -49237s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exe TID: 6096Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 6376Thread sleep count: 36 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 6376Thread sleep time: -72000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exe TID: 4464Thread sleep time: -48000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\wscript.exeLast function: Thread delayed
          Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.229324948.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
          Source: explorer.exe, 00000002.00000002.487079470.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000002.00000000.229544936.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000002.00000000.229616866.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000002.00000002.487119662.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000002.00000003.292352680.0000000008A13000.00000004.00000001.sdmpBinary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATAY
          Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: BANK ACCOUNT INFO!.exe, 00000000.00000002.214093011.00000000028F7000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
          Source: explorer.exe, 00000002.00000000.228899034.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess queried: DebugPortJump to behavior
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_00409A80 rdtsc 1_2_00409A80
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0040ACC0 LdrLoadDll,1_2_0040ACC0
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0149B944 mov eax, dword ptr fs:[00000030h]1_2_0149B944
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0149B944 mov eax, dword ptr fs:[00000030h]1_2_0149B944
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0147C962 mov eax, dword ptr fs:[00000030h]1_2_0147C962
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0147B171 mov eax, dword ptr fs:[00000030h]1_2_0147B171
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0147B171 mov eax, dword ptr fs:[00000030h]1_2_0147B171
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01479100 mov eax, dword ptr fs:[00000030h]1_2_01479100
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01479100 mov eax, dword ptr fs:[00000030h]1_2_01479100
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01479100 mov eax, dword ptr fs:[00000030h]1_2_01479100
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01494120 mov eax, dword ptr fs:[00000030h]1_2_01494120
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01494120 mov eax, dword ptr fs:[00000030h]1_2_01494120
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01494120 mov eax, dword ptr fs:[00000030h]1_2_01494120
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01494120 mov eax, dword ptr fs:[00000030h]1_2_01494120
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_01494120 mov ecx, dword ptr fs:[00000030h]1_2_01494120
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014A513A mov eax, dword ptr fs:[00000030h]1_2_014A513A
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_014A513A mov eax, dword ptr fs:[00000030h]1_2_014A513A
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0147B1E1 mov eax, dword ptr fs:[00000030h]1_2_0147B1E1
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0147B1E1 mov eax, dword ptr fs:[00000030h]1_2_0147B1E1
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: 1_2_0147B1E1 mov eax, dword ptr fs:[00000030h]1_2_0147B1E1
          Source: C:\Users\user\Desktop\BANK ACCOUNT INFO!.exeCode function: <