Loading ...

Play interactive tourEdit tour

Analysis Report kayx.exe

Overview

General Information

Sample Name:kayx.exe
Analysis ID:321226
MD5:a80e73a824b655491f54278b7a29467d
SHA1:f33ddffc223c9afa4e226d3567b990a8e44828e6
SHA256:bdcd13abdded8f4f709fb288fb78b4afff486854b3ea78ad378d11220a31c3c4
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • kayx.exe (PID: 6524 cmdline: 'C:\Users\user\Desktop\kayx.exe' MD5: A80E73A824B655491F54278B7A29467D)
    • kayx.exe (PID: 6932 cmdline: C:\Users\user\Desktop\kayx.exe MD5: A80E73A824B655491F54278B7A29467D)
    • kayx.exe (PID: 6916 cmdline: C:\Users\user\Desktop\kayx.exe MD5: A80E73A824B655491F54278B7A29467D)
    • kayx.exe (PID: 6900 cmdline: C:\Users\user\Desktop\kayx.exe MD5: A80E73A824B655491F54278B7A29467D)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • firefoxe.exe (PID: 3032 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe' MD5: A80E73A824B655491F54278B7A29467D)
        • firefoxe.exe (PID: 2128 cmdline: 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe' MD5: A80E73A824B655491F54278B7A29467D)
        • mstsc.exe (PID: 6072 cmdline: C:\Windows\SysWOW64\mstsc.exe MD5: 2412003BE253A515C620CE4890F3D8F3)
          • cmd.exe (PID: 4816 cmdline: /c del 'C:\Users\user\Desktop\kayx.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16079:$sqlite3step: 68 34 1C 7B E1
    • 0x1618c:$sqlite3step: 68 34 1C 7B E1
    • 0x160a8:$sqlite3text: 68 38 2A 90 C5
    • 0x161cd:$sqlite3text: 68 38 2A 90 C5
    • 0x160bb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x161e3:$sqlite3blob: 68 53 D8 7F 8C
    00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x83c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8762:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14075:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x13b61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14177:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x142ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x916a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x12ddc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ee2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19157:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a1ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.kayx.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        17.2.kayx.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        17.2.kayx.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x15279:$sqlite3step: 68 34 1C 7B E1
        • 0x1538c:$sqlite3step: 68 34 1C 7B E1
        • 0x152a8:$sqlite3text: 68 38 2A 90 C5
        • 0x153cd:$sqlite3text: 68 38 2A 90 C5
        • 0x152bb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x153e3:$sqlite3blob: 68 53 D8 7F 8C
        17.1.kayx.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          17.1.kayx.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x75c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7962:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13275:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x12d61:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13377:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x134ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x836a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x11fdc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x90e2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18357:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x193ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: kayx.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeAvira: detection malicious, Label: TR/Dropper.MSIL.blecg
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeReversingLabs: Detection: 45%
          Multi AV Scanner detection for submitted fileShow sources
          Source: kayx.exeVirustotal: Detection: 34%Perma Link
          Source: kayx.exeReversingLabs: Detection: 45%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: kayx.exeJoe Sandbox ML: detected
          Source: 17.2.kayx.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.1.kayx.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
          Source: C:\Users\user\Desktop\kayx.exeCode function: 4x nop then pop edi17_2_0040C122
          Source: C:\Users\user\Desktop\kayx.exeCode function: 4x nop then pop edi17_1_0040C122
          Source: global trafficHTTP traffic detected: GET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1Host: www.ghoster.agencyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1Host: www.jibenentreprenad.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /bg8v/?dR-0T=Hsg8WmNsaLMOQIlEIMfuFbk4MqbSZJWeSLNd01xx1olwbrd2uyfvFyB8JS14b3uA3WpV&Fxl0dR=KdShEXiX HTTP/1.1Host: www.ghoster.agencyConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb1&Fxl0dR=KdShEXiX HTTP/1.1Host: www.jibenentreprenad.mobiConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ghoster.agency
          Source: explorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000012.00000000.377196648.000000000F640000.00000004.00000001.sdmpString found in binary or memory: http://crl.v
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000012.00000000.374682717.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: mstsc.exe, 00000015.00000002.487573696.000000000543D000.00000004.00000001.sdmpString found in binary or memory: https://www.jiben.se/bg8v/?dR-0T=BcRzG6gD98FnRJnM8S7gZqeq6OFb5sR0iVW6Pm7cF5yWostREqJtYuV2Juo62Dzc0Jb
          Source: firefoxe.exe, 00000013.00000002.483426018.000000000108B000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C4AAF0 NtUnmapViewOfSection,1_2_05C4AAF0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C4AAE8 NtUnmapViewOfSection,1_2_05C4AAE8
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417B90 NtCreateFile,17_2_00417B90
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417C40 NtReadFile,17_2_00417C40
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417CC0 NtClose,17_2_00417CC0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417D70 NtAllocateVirtualMemory,17_2_00417D70
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417B4A NtCreateFile,17_2_00417B4A
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417BE2 NtCreateFile,17_2_00417BE2
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417B8A NtCreateFile,17_2_00417B8A
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00417CBF NtClose,17_2_00417CBF
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E498F0 NtReadVirtualMemory,LdrInitializeThunk,17_2_00E498F0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49860 NtQuerySystemInformation,LdrInitializeThunk,17_2_00E49860
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49840 NtDelayExecution,LdrInitializeThunk,17_2_00E49840
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E499A0 NtCreateSection,LdrInitializeThunk,17_2_00E499A0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_00E49910
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A50 NtCreateFile,LdrInitializeThunk,17_2_00E49A50
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A20 NtResumeThread,LdrInitializeThunk,17_2_00E49A20
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A00 NtProtectVirtualMemory,LdrInitializeThunk,17_2_00E49A00
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E495D0 NtClose,LdrInitializeThunk,17_2_00E495D0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49540 NtReadFile,LdrInitializeThunk,17_2_00E49540
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E496E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_00E496E0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_00E49660
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49FE0 NtCreateMutant,LdrInitializeThunk,17_2_00E49FE0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E497A0 NtUnmapViewOfSection,LdrInitializeThunk,17_2_00E497A0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49780 NtMapViewOfSection,LdrInitializeThunk,17_2_00E49780
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49710 NtQueryInformationToken,LdrInitializeThunk,17_2_00E49710
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E498A0 NtWriteVirtualMemory,17_2_00E498A0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4B040 NtSuspendThread,17_2_00E4B040
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49820 NtEnumerateKey,17_2_00E49820
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E499D0 NtCreateProcessEx,17_2_00E499D0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49950 NtQueueApcThread,17_2_00E49950
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A80 NtOpenDirectoryObject,17_2_00E49A80
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49A10 NtQuerySection,17_2_00E49A10
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4A3B0 NtGetContextThread,17_2_00E4A3B0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49B00 NtSetValueKey,17_2_00E49B00
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E495F0 NtQueryInformationFile,17_2_00E495F0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49560 NtWriteFile,17_2_00E49560
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49520 NtWaitForSingleObject,17_2_00E49520
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4AD30 NtSetContextThread,17_2_00E4AD30
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E496D0 NtCreateKey,17_2_00E496D0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49670 NtQueryInformationProcess,17_2_00E49670
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49650 NtQueryValueKey,17_2_00E49650
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49610 NtEnumerateValueKey,17_2_00E49610
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49760 NtOpenProcess,17_2_00E49760
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49770 NtSetInformationFile,17_2_00E49770
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4A770 NtOpenThread,17_2_00E4A770
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E49730 NtQueryVirtualMemory,17_2_00E49730
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E4A710 NtOpenProcessToken,17_2_00E4A710
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417B90 NtCreateFile,17_1_00417B90
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417C40 NtReadFile,17_1_00417C40
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417CC0 NtClose,17_1_00417CC0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417D70 NtAllocateVirtualMemory,17_1_00417D70
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417B4A NtCreateFile,17_1_00417B4A
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417BE2 NtCreateFile,17_1_00417BE2
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417B8A NtCreateFile,17_1_00417B8A
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00417CBF NtClose,17_1_00417CBF
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_01850C1C1_2_01850C1C
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C429381_2_05C42938
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C46D001_2_05C46D00
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C46D101_2_05C46D10
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C426C01_2_05C426C0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C426B11_2_05C426B1
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C429871_2_05C42987
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0040103017_2_00401030
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041B09117_2_0041B091
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00408A3017_2_00408A30
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00402D8717_2_00402D87
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00402D9017_2_00402D90
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041BE8017_2_0041BE80
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041BE8A17_2_0041BE8A
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041C6AB17_2_0041C6AB
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041C7F217_2_0041C7F2
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00402FB017_2_00402FB0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED28EC17_2_00ED28EC
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E320A017_2_00E320A0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED20A817_2_00ED20A8
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1B09017_2_00E1B090
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EDE82417_2_00EDE824
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2A83017_2_00E2A830
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC100217_2_00EC1002
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2412017_2_00E24120
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E0F90017_2_00E0F900
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED22AE17_2_00ED22AE
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EBFA2B17_2_00EBFA2B
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EC03DA17_2_00EC03DA
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECDBD217_2_00ECDBD2
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3EBB017_2_00E3EBB0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E2AB4017_2_00E2AB40
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED2B2817_2_00ED2B28
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECD46617_2_00ECD466
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1841F17_2_00E1841F
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E1D5E017_2_00E1D5E0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED25DD17_2_00ED25DD
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E3258117_2_00E32581
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED1D5517_2_00ED1D55
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E00D2017_2_00E00D20
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED2D0717_2_00ED2D07
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED2EF717_2_00ED2EF7
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E26E3017_2_00E26E30
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ECD61617_2_00ECD616
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00ED1FF117_2_00ED1FF1
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00EDDFCE17_2_00EDDFCE
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0040103017_1_00401030
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041B09117_1_0041B091
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00408A3017_1_00408A30
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00402D8717_1_00402D87
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00402D9017_1_00402D90
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041BE8017_1_0041BE80
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041BE8A17_1_0041BE8A
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041C6AB17_1_0041C6AB
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041C7F217_1_0041C7F2
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00402FB017_1_00402FB0
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeCode function: 19_2_01060C1C19_2_01060C1C
          Source: C:\Users\user\Desktop\kayx.exeCode function: String function: 00419A40 appears 38 times
          Source: C:\Users\user\Desktop\kayx.exeCode function: String function: 00E0B150 appears 54 times
          Source: kayx.exe, 00000001.00000002.355661594.00000000059B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs kayx.exe
          Source: kayx.exe, 00000001.00000002.351671330.0000000000F28000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: kayx.exe, 00000001.00000002.352304174.000000000333A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClassLibrary3.dll< vs kayx.exe
          Source: kayx.exe, 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKlghppetippu.dll4 vs kayx.exe
          Source: kayx.exe, 0000000F.00000002.349503948.0000000000268000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: kayx.exe, 00000010.00000002.350319835.0000000000328000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: kayx.exe, 00000011.00000002.397054523.000000000108F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs kayx.exe
          Source: kayx.exe, 00000011.00000000.350990783.0000000000468000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: kayx.exe, 00000011.00000002.397835707.0000000002C23000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemstsc.exej% vs kayx.exe
          Source: kayx.exeBinary or memory string: OriginalFilenameVdltohs3.exel% vs kayx.exe
          Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.485444810.0000000002F00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.396099862.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.396027525.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000015.00000002.484279657.0000000000A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.396259639.0000000000980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000001.351516494.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.352630853.00000000041E1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.1.kayx.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.1.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.kayx.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: kayx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: firefoxe.exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: kayx.exe, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: firefoxe.exe.1.dr, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.0.kayx.exe.ec0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 1.2.kayx.exe.ec0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 15.2.kayx.exe.200000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 15.0.kayx.exe.200000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 16.0.kayx.exe.2c0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 16.2.kayx.exe.2c0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 17.0.kayx.exe.400000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 19.0.firefoxe.exe.9a0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: 19.2.firefoxe.exe.9a0000.0.unpack, u0006/u0005.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@14/3@4/2
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepedJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_01
          Source: kayx.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\kayx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: kayx.exeVirustotal: Detection: 34%
          Source: kayx.exeReversingLabs: Detection: 45%
          Source: C:\Users\user\Desktop\kayx.exeFile read: C:\Users\user\Desktop\kayx.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\kayx.exe 'C:\Users\user\Desktop\kayx.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: unknownProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: unknownProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exe
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\mstsc.exe C:\Windows\SysWOW64\mstsc.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\kayx.exeProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exeJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exeJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess created: C:\Users\user\Desktop\kayx.exe C:\Users\user\Desktop\kayx.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\mstsc.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\kayx.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\kayx.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: kayx.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: kayx.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000012.00000000.376957565.000000000E1C0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: kayx.exe, 00000011.00000003.351692207.0000000000AB0000.00000004.00000001.sdmp, mstsc.exe, 00000015.00000002.486610265.0000000004CAF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: kayx.exe, mstsc.exe, 00000015.00000002.486610265.0000000004CAF000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdbGCTL source: kayx.exe, 00000011.00000002.397529833.0000000002B00000.00000040.00000001.sdmp
          Source: Binary string: mstsc.pdb source: kayx.exe, 00000011.00000002.397529833.0000000002B00000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000012.00000000.376957565.000000000E1C0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\kayx.exeUnpacked PE file: 17.2.kayx.exe.400000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs .text:ER;
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_0185A9A1 push edx; iretd 1_2_0185A9A2
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C48CE3 push E808AB5Eh; retf 1_2_05C48D01
          Source: C:\Users\user\Desktop\kayx.exeCode function: 1_2_05C48C8D push E808AB5Eh; retf 1_2_05C48D01
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041AD55 push eax; ret 17_2_0041ADA8
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041ADA2 push eax; ret 17_2_0041ADA8
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041ADAB push eax; ret 17_2_0041AE12
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041AE0C push eax; ret 17_2_0041AE12
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00414EC5 push CFF27278h; ret 17_2_00414EC0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00414E85 push CFF27278h; ret 17_2_00414EC0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00414740 push cs; iretd 17_2_00414779
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_0041478D push cs; iretd 17_2_00414779
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_2_00E5D0D1 push ecx; ret 17_2_00E5D0E4
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041AD55 push eax; ret 17_1_0041ADA8
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041ADA2 push eax; ret 17_1_0041ADA8
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041ADAB push eax; ret 17_1_0041AE12
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041AE0C push eax; ret 17_1_0041AE12
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00414EC5 push CFF27278h; ret 17_1_00414EC0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00414E85 push CFF27278h; ret 17_1_00414EC0
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_00414740 push cs; iretd 17_1_00414779
          Source: C:\Users\user\Desktop\kayx.exeCode function: 17_1_0041478D push cs; iretd 17_1_00414779
          Source: initial sampleStatic PE information: section name: .text entropy: 7.94131868162
          Source: initial sampleStatic PE information: section name: .text entropy: 7.94131868162
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeJump to dropped file
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\notepedJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exe\:Zone.Identifier:$DATAJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxeJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run firefoxeJump to behavior
          Source: C:\Windows\explorer.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\kayx.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\noteped\firefoxe.exeProcess information set: NOOPENFILEERRORBOX