Loading ...

Play interactive tourEdit tour

Analysis Report PO_210223.exe

Overview

General Information

Sample Name:PO_210223.exe
Analysis ID:356494
MD5:e40af9745e938b72d5d860bbc679aebf
SHA1:d9e750061417b0ca9f933db79c99c12934abbe84
SHA256:38acc90cd6d33b61b99cca8cf06781e1bd2ab8ffebc3a33e036eca36037d413b
Tags:exeFormbookgeoKOR

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses ipconfig to lookup or modify the Windows network settings
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO_210223.exe (PID: 6976 cmdline: 'C:\Users\user\Desktop\PO_210223.exe' MD5: E40AF9745E938B72D5D860BBC679AEBF)
    • schtasks.exe (PID: 1556 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO_210223.exe (PID: 1868 cmdline: C:\Users\user\Desktop\PO_210223.exe MD5: E40AF9745E938B72D5D860BBC679AEBF)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • ipconfig.exe (PID: 6744 cmdline: C:\Windows\SysWOW64\ipconfig.exe MD5: B0C7423D02A007461C850CD0DFE09318)
          • cmd.exe (PID: 7112 cmdline: /c del 'C:\Users\user\Desktop\PO_210223.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.000666dy.com/ntg/"], "decoy": ["successwithyolandafgreen.com", "theordinaryph.com", "atamyo-therapeutics.com", "pophazard.com", "anthonyfultz.com", "pasanglham.com", "kanekhushi.com", "littlefishyswim.com", "kaieteurny.com", "fanavartima.com", "digexpo.com", "se-rto.com", "chaos.finance", "bakldx.com", "after-school.pro", "faithfromphilly.com", "estudiomuradian.com", "albertocerasini.com", "andronna.com", "wingspotusa.com", "lucky-lucky.online", "ga-don.com", "shawnbly.com", "shoptalullah.com", "needfulvegan.com", "ampersandaconsulting.com", "hoyhelp.com", "wickfordinternists.com", "kindlovingmindfulyoga.com", "hhkgjt.net", "eventpubgpharaoh.com", "blameitonpizza.com", "editshirt.com", "utulocal194.com", "meralpro.com", "rochesterhindus.com", "wadihassafi.com", "visitouroffice.com", "duncantraining.com", "ggrealestategroup.com", "xrf-tech.com", "pro-tizer.com", "usesoft.icu", "caralsalem.com", "inudaipur.com", "fluid-branding.com", "titizadiyamancigkofte.com", "es-tucasa.com", "103manningave.com", "eclat-beauty.info", "ahameeting2021.com", "gsyxh.com", "246835.com", "onwardfpv.com", "estasinvitado.net", "kinderkakery.com", "bala5.com", "gehqaralouine.com", "editorialesrd.com", "thebarconcepts.com", "aleitzeventdecor.com", "moderaty.com", "geraloqaresuine.com", "kyotodreaming.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.PO_210223.exe.2cb671c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
        0.2.PO_210223.exe.45c8e00.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.PO_210223.exe.45c8e00.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0xe6998:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xe6c02:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x112fb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x113222:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xf2725:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x11ed45:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xf2211:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x11e831:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xf2827:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x11ee47:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xf299f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x11efbf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xe761a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x113c3a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xf148c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x11daac:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xe8313:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x114933:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xf83c7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1249e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xf93ca:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          0.2.PO_210223.exe.45c8e00.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0xf54a9:$sqlite3step: 68 34 1C 7B E1
          • 0xf55bc:$sqlite3step: 68 34 1C 7B E1
          • 0x121ac9:$sqlite3step: 68 34 1C 7B E1
          • 0x121bdc:$sqlite3step: 68 34 1C 7B E1
          • 0xf54d8:$sqlite3text: 68 38 2A 90 C5
          • 0xf55fd:$sqlite3text: 68 38 2A 90 C5
          • 0x121af8:$sqlite3text: 68 38 2A 90 C5
          • 0x121c1d:$sqlite3text: 68 38 2A 90 C5
          • 0xf54eb:$sqlite3blob: 68 53 D8 7F 8C
          • 0xf5613:$sqlite3blob: 68 53 D8 7F 8C
          • 0x121b0b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x121c33:$sqlite3blob: 68 53 D8 7F 8C
          9.2.PO_210223.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 8 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\PO_210223.exe' , ParentImage: C:\Users\user\Desktop\PO_210223.exe, ParentProcessId: 6976, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp', ProcessId: 1556

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.000666dy.com/ntg/"], "decoy": ["successwithyolandafgreen.com", "theordinaryph.com", "atamyo-therapeutics.com", "pophazard.com", "anthonyfultz.com", "pasanglham.com", "kanekhushi.com", "littlefishyswim.com", "kaieteurny.com", "fanavartima.com", "digexpo.com", "se-rto.com", "chaos.finance", "bakldx.com", "after-school.pro", "faithfromphilly.com", "estudiomuradian.com", "albertocerasini.com", "andronna.com", "wingspotusa.com", "lucky-lucky.online", "ga-don.com", "shawnbly.com", "shoptalullah.com", "needfulvegan.com", "ampersandaconsulting.com", "hoyhelp.com", "wickfordinternists.com", "kindlovingmindfulyoga.com", "hhkgjt.net", "eventpubgpharaoh.com", "blameitonpizza.com", "editshirt.com", "utulocal194.com", "meralpro.com", "rochesterhindus.com", "wadihassafi.com", "visitouroffice.com", "duncantraining.com", "ggrealestategroup.com", "xrf-tech.com", "pro-tizer.com", "usesoft.icu", "caralsalem.com", "inudaipur.com", "fluid-branding.com", "titizadiyamancigkofte.com", "es-tucasa.com", "103manningave.com", "eclat-beauty.info", "ahameeting2021.com", "gsyxh.com", "246835.com", "onwardfpv.com", "estasinvitado.net", "kinderkakery.com", "bala5.com", "gehqaralouine.com", "editorialesrd.com", "thebarconcepts.com", "aleitzeventdecor.com", "moderaty.com", "geraloqaresuine.com", "kyotodreaming.com"]}
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\kwqifureL.exeReversingLabs: Detection: 42%
            Multi AV Scanner detection for submitted fileShow sources
            Source: PO_210223.exeVirustotal: Detection: 31%Perma Link
            Source: PO_210223.exeReversingLabs: Detection: 42%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\kwqifureL.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: PO_210223.exeJoe Sandbox ML: detected
            Source: 9.2.PO_210223.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Compliance:

            barindex
            Detected unpacking (overwrites its own PE header)Show sources
            Source: C:\Users\user\Desktop\PO_210223.exeUnpacked PE file: 0.2.PO_210223.exe.890000.0.unpack
            Uses 32bit PE filesShow sources
            Source: PO_210223.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: PO_210223.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: ipconfig.pdb source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
            Source: Binary string: ipconfig.pdbGCTL source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO_210223.exe, 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, ipconfig.exe, 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: PO_210223.exe, ipconfig.exe
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 4x nop then pop edi9_2_00416C98
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 4x nop then pop edi13_2_009C6C98

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.000666dy.com/ntg/
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.pophazard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.246835.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.kaieteurny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 204.11.56.48 204.11.56.48
            Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
            Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0E782 getaddrinfo,setsockopt,recv,10_2_04E0E782
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=ezEzfTUVqdhTeHhhSUO1nROjhCSdyq2ILgetv621tco9QxJ0Ek6h+l0QSU1+LT7ErdbR&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.pophazard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=w4X+hAUHJfroJmp94c1onPOAPenZZpTxtRzXhSWsn9e2URXOAMjiMifVYC4X6954J+Dz&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.246835.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ntg/?ojoHzZ=bxqEOtZwpu8QOdqfa5M05y7zdw+lGZ3K+8kzjODwarG6Nc6O9nhCMo5PAGRXJYSnY3HU&1bm=GPD0lNKPfFHTAb HTTP/1.1Host: www.kaieteurny.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.pophazard.com
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 0000000A.00000002.910436982.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcy
            Source: PO_210223.exe, 00000000.00000003.648155639.000000000828D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comig
            Source: PO_210223.exe, 00000000.00000003.648075554.000000000828D000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comint
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comk
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comva9y
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: PO_210223.exe, 00000000.00000003.652634958.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: PO_210223.exe, 00000000.00000003.654377069.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersQ
            Source: PO_210223.exe, 00000000.00000003.658906996.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerse
            Source: PO_210223.exe, 00000000.00000003.658952636.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersiva
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: PO_210223.exe, 00000000.00000003.645891455.000000000826B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc
            Source: PO_210223.exe, 00000000.00000003.645842271.000000000826B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comic
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: PO_210223.exe, 00000000.00000003.647755183.0000000008255000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnal
            Source: PO_210223.exe, 00000000.00000003.647493837.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnal9y
            Source: PO_210223.exe, 00000000.00000003.647129278.0000000008256000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnt7o
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: PO_210223.exe, 00000000.00000003.655856986.0000000008285000.00000004.00000001.sdmp, PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: PO_210223.exe, 00000000.00000003.658733903.0000000008285000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: ipconfig.exe, 0000000D.00000002.911031033.0000000003E4F000.00000004.00000001.sdmpString found in binary or memory: http://www.pophazard.com/sk-logabpstatus.php?a=aG42QXdLZEpxVDR5Y2RqNUtBbnIvaUNNaWJVdEVQVjlJMUxVR2dwW
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com8i
            Source: PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comal
            Source: PO_210223.exe, 00000000.00000003.646155016.000000000826B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comh
            Source: PO_210223.exe, 00000000.00000003.649005992.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: PO_210223.exe, 00000000.00000002.686743124.0000000009462000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.696926398.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: PO_210223.exe, 00000000.00000003.648938805.0000000008252000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cniy
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
            Source: PO_210223.exe, 00000000.00000002.679711505.0000000001030000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Initial sample is a PE file and has a suspicious nameShow sources
            Source: initial sampleStatic PE information: Filename: PO_210223.exe
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419D50 NtCreateFile,9_2_00419D50
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419E00 NtReadFile,9_2_00419E00
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419E80 NtClose,9_2_00419E80
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419F30 NtAllocateVirtualMemory,9_2_00419F30
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419D4A NtCreateFile,9_2_00419D4A
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00419F2A NtAllocateVirtualMemory,9_2_00419F2A
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018499A0 NtCreateSection,LdrInitializeThunk,9_2_018499A0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_01849910
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018498F0 NtReadVirtualMemory,LdrInitializeThunk,9_2_018498F0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849840 NtDelayExecution,LdrInitializeThunk,9_2_01849840
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849860 NtQuerySystemInformation,LdrInitializeThunk,9_2_01849860
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A00 NtProtectVirtualMemory,LdrInitializeThunk,9_2_01849A00
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A20 NtResumeThread,LdrInitializeThunk,9_2_01849A20
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A50 NtCreateFile,LdrInitializeThunk,9_2_01849A50
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018495D0 NtClose,LdrInitializeThunk,9_2_018495D0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849540 NtReadFile,LdrInitializeThunk,9_2_01849540
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849780 NtMapViewOfSection,LdrInitializeThunk,9_2_01849780
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018497A0 NtUnmapViewOfSection,LdrInitializeThunk,9_2_018497A0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849710 NtQueryInformationToken,LdrInitializeThunk,9_2_01849710
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018496E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_018496E0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_01849660
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018499D0 NtCreateProcessEx,9_2_018499D0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849950 NtQueueApcThread,9_2_01849950
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018498A0 NtWriteVirtualMemory,9_2_018498A0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849820 NtEnumerateKey,9_2_01849820
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184B040 NtSuspendThread,9_2_0184B040
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184A3B0 NtGetContextThread,9_2_0184A3B0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849B00 NtSetValueKey,9_2_01849B00
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A80 NtOpenDirectoryObject,9_2_01849A80
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849A10 NtQuerySection,9_2_01849A10
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018495F0 NtQueryInformationFile,9_2_018495F0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849520 NtWaitForSingleObject,9_2_01849520
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184AD30 NtSetContextThread,9_2_0184AD30
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849560 NtWriteFile,9_2_01849560
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849FE0 NtCreateMutant,9_2_01849FE0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184A710 NtOpenProcessToken,9_2_0184A710
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849730 NtQueryVirtualMemory,9_2_01849730
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849760 NtOpenProcess,9_2_01849760
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0184A770 NtOpenThread,9_2_0184A770
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849770 NtSetInformationFile,9_2_01849770
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018496D0 NtCreateKey,9_2_018496D0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849610 NtEnumerateValueKey,9_2_01849610
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849650 NtQueryValueKey,9_2_01849650
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01849670 NtQueryInformationProcess,9_2_01849670
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0DA32 NtCreateFile,10_2_04E0DA32
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499710 NtQueryInformationToken,LdrInitializeThunk,13_2_03499710
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499FE0 NtCreateMutant,LdrInitializeThunk,13_2_03499FE0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499780 NtMapViewOfSection,LdrInitializeThunk,13_2_03499780
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A50 NtCreateFile,LdrInitializeThunk,13_2_03499A50
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034996D0 NtCreateKey,LdrInitializeThunk,13_2_034996D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034996E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_034996E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499540 NtReadFile,LdrInitializeThunk,13_2_03499540
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_03499910
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034995D0 NtClose,LdrInitializeThunk,13_2_034995D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034999A0 NtCreateSection,LdrInitializeThunk,13_2_034999A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499840 NtDelayExecution,LdrInitializeThunk,13_2_03499840
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499860 NtQuerySystemInformation,LdrInitializeThunk,13_2_03499860
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499760 NtOpenProcess,13_2_03499760
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499770 NtSetInformationFile,13_2_03499770
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349A770 NtOpenThread,13_2_0349A770
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499B00 NtSetValueKey,13_2_03499B00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349A710 NtOpenProcessToken,13_2_0349A710
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499730 NtQueryVirtualMemory,13_2_03499730
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034997A0 NtUnmapViewOfSection,13_2_034997A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349A3B0 NtGetContextThread,13_2_0349A3B0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499650 NtQueryValueKey,13_2_03499650
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499660 NtAllocateVirtualMemory,13_2_03499660
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499670 NtQueryInformationProcess,13_2_03499670
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A00 NtProtectVirtualMemory,13_2_03499A00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499610 NtEnumerateValueKey,13_2_03499610
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A10 NtQuerySection,13_2_03499A10
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A20 NtResumeThread,13_2_03499A20
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499A80 NtOpenDirectoryObject,13_2_03499A80
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499950 NtQueueApcThread,13_2_03499950
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499560 NtWriteFile,13_2_03499560
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499520 NtWaitForSingleObject,13_2_03499520
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349AD30 NtSetContextThread,13_2_0349AD30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034999D0 NtCreateProcessEx,13_2_034999D0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034995F0 NtQueryInformationFile,13_2_034995F0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0349B040 NtSuspendThread,13_2_0349B040
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03499820 NtEnumerateKey,13_2_03499820
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034998F0 NtReadVirtualMemory,13_2_034998F0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034998A0 NtWriteVirtualMemory,13_2_034998A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009C9D50 NtCreateFile,13_2_009C9D50
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009C9E80 NtClose,13_2_009C9E80
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009C9E00 NtReadFile,13_2_009C9E00
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009C9D4A NtCreateFile,13_2_009C9D4A
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012821F80_2_012821F8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012830D00_2_012830D0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012818510_2_01281851
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01280FF80_2_01280FF8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012851E00_2_012851E0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012851D00_2_012851D0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012830630_2_01283063
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012812920_2_01281292
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012854200_2_01285420
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012854300_2_01285430
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012804D00_2_012804D0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012856A80_2_012856A8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012856980_2_01285698
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_012858400_2_01285840
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01283FA80_2_01283FA8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01283F990_2_01283F99
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01280FD40_2_01280FD4
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_01284E600_2_01284E60
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_09AB9DD00_2_09AB9DD0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_09AB61000_2_09AB6100
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_09ABB0980_2_09ABB098
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 0_2_09AB00400_2_09AB0040
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_004010269_2_00401026
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_004010309_2_00401030
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041D3FD9_2_0041D3FD
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00402D909_2_00402D90
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041E6019_2_0041E601
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00409E309_2_00409E30
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0041DFA79_2_0041DFA7
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_00402FB09_2_00402FB0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0180F9009_2_0180F900
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018241209_2_01824120
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181B0909_2_0181B090
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018320A09_2_018320A0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D20A89_2_018D20A8
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D28EC9_2_018D28EC
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018C10029_2_018C1002
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0183EBB09_2_0183EBB0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CDBD29_2_018CDBD2
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D2B289_2_018D2B28
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D22AE9_2_018D22AE
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018325819_2_01832581
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D25DD9_2_018D25DD
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181D5E09_2_0181D5E0
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D2D079_2_018D2D07
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01800D209_2_01800D20
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D1D559_2_018D1D55
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_0181841F9_2_0181841F
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CD4669_2_018CD466
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D1FF19_2_018D1FF1
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018D2EF79_2_018D2EF7
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_018CD6169_2_018CD616
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: 9_2_01826E309_2_01826E30
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0DA3210_2_04E0DA32
            Source: C:\Windows\explorer.exeCode function: 10_2_04E05CEC10_2_04E05CEC
            Source: C:\Windows\explorer.exeCode function: 10_2_04E05CF210_2_04E05CF2
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0C86210_2_04E0C862
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0406910_2_04E04069
            Source: C:\Windows\explorer.exeCode function: 10_2_04E10A6F10_2_04E10A6F
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0407210_2_04E04072
            Source: C:\Windows\explorer.exeCode function: 10_2_04E08B2210_2_04E08B22
            Source: C:\Windows\explorer.exeCode function: 10_2_04E0B13210_2_04E0B132
            Source: C:\Windows\explorer.exeCode function: 10_2_04E10B0E10_2_04E10B0E
            Source: C:\Windows\explorer.exeCode function: 10_2_04E08B1F10_2_04E08B1F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03522B2813_2_03522B28
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03521FF113_2_03521FF1
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348EBB013_2_0348EBB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03476E3013_2_03476E30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03522EF713_2_03522EF7
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_035222AE13_2_035222AE
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03521D5513_2_03521D55
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0345F90013_2_0345F900
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03522D0713_2_03522D07
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_03450D2013_2_03450D20
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0347412013_2_03474120
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346D5E013_2_0346D5E0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0348258113_2_03482581
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0351100213_2_03511002
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346841F13_2_0346841F
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_0346B09013_2_0346B090
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_034820A013_2_034820A0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_035220A813_2_035220A8
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009B2D9013_2_009B2D90
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CE60113_2_009CE601
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009B9E3013_2_009B9E30
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009B2FB013_2_009B2FB0
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: 13_2_009CDFA713_2_009CDFA7
            Source: C:\Users\user\Desktop\PO_210223.exeCode function: String function: 0180B150 appears 35 times
            Source: C:\Windows\SysWOW64\ipconfig.exeCode function: String function: 0345B150 appears 35 times
            Source: PO_210223.exeBinary or memory string: OriginalFilename vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000000.641235536.0000000000956000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.689224282.000000000B660000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.689224282.000000000B660000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.687139133.0000000009840000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.687388801.00000000099C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.688279597.000000000B570000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs PO_210223.exe
            Source: PO_210223.exe, 00000000.00000002.679711505.0000000001030000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs PO_210223.exe
            Source: PO_210223.exe, 00000009.00000002.715919446.00000000016E7000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameipconfig.exej% vs PO_210223.exe
            Source: PO_210223.exe, 00000009.00000000.673088328.0000000000CF6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
            Source: PO_210223.exe, 00000009.00000002.716615748.0000000001A8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO_210223.exe
            Source: PO_210223.exeBinary or memory string: OriginalFilenameUCOMITypeComp.exe6 vs PO_210223.exe
            Source: PO_210223.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.715452206.0000000001180000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.907288680.00000000009B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.907602619.0000000000D90000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.907432455.0000000000C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.715093547.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.715862611.00000000016B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.681205179.0000000004429000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.PO_210223.exe.45c8e00.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.2.PO_210223.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.2.PO_210223.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.PO_210223.exe.4573fe0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@3/3
            Source: C:\Users\user\Desktop\PO_210223.exeFile created: C:\Users\user\AppData\Roaming\kwqifureL.exeJump to behavior
            Source: C:\Users\user\Desktop\PO_210223.exeMutant created: \Sessions\1\BaseNamedObjects\kOfurgeHGWQSiueuJ
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1744:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_01
            Source: C:\Users\user\Desktop\PO_210223.exeFile created: C:\Users\user\AppData\Local\Temp\tmp33D2.tmpJump to behavior
            Source: PO_210223.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\PO_210223.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\PO_210223.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Users\user\Desktop\PO_210223.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: PO_210223.exe, 00000000.00000002.680445109.0000000002C2D000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: PO_210223.exeVirustotal: Detection: 31%
            Source: PO_210223.exeReversingLabs: Detection: 42%
            Source: C:\Users\user\Desktop\PO_210223.exeFile read: C:\Users\user\Desktop\PO_210223.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\PO_210223.exe 'C:\Users\user\Desktop\PO_210223.exe'
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\ipconfig.exe C:\Windows\SysWOW64\ipconfig.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\PO_210223.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\kwqifureL' /XML 'C:\Users\user\AppData\Local\Temp\tmp33D2.tmp'Jump to behavior
            Source: C:\Users\user\Desktop\PO_210223.exeProcess created: C:\Users\user\Desktop\PO_210223.exe C:\Users\user\Desktop\PO_210223.exeJump to behavior
            Source: C:\Windows\SysWOW64\ipconfig.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO_210223.exe'Jump to behavior
            Source: C:\Users\user\Desktop\PO_210223.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
            Source: C:\Users\user\Desktop\PO_210223.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: PO_210223.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: PO_210223.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: ipconfig.pdb source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
            Source: Binary string: ipconfig.pdbGCTL source: PO_210223.exe, 00000009.00000002.715896040.00000000016E0000.00000040.00000001.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: PO_210223.exe, 00000009.00000002.716018199.00000000017E0000.00000040.00000001.sdmp, ipconfig.exe, 0000000D.00000002.908995826.0000000003430000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: PO_210223.exe, ipconfig.exe
            Source: Binary string: wscui.pdb source: explorer.exe, 0000000A.00000000.691413999.0000000005A00000.00000002.00000001.sdmp

            Data Obfuscation: