Loading ...

Play interactive tourEdit tour

Analysis Report Booking Confirmation.exe

Overview

General Information

Sample Name:Booking Confirmation.exe
Analysis ID:356529
MD5:78d9eadc9fcc580239b360ffa2c2220f
SHA1:2bc313ca573a9be005aa8d22e96601c10dcd5041
SHA256:e836c2aecd7a2ae83a5bb088780d9e7b8cd6c3a7ff6b9c3f1261bfd1f53dbef7
Tags:exeFormbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Booking Confirmation.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\Booking Confirmation.exe' MD5: 78D9EADC9FCC580239B360FFA2C2220F)
    • Booking Confirmation.exe (PID: 3716 cmdline: C:\Users\user\Desktop\Booking Confirmation.exe MD5: 78D9EADC9FCC580239B360FFA2C2220F)
    • Booking Confirmation.exe (PID: 612 cmdline: C:\Users\user\Desktop\Booking Confirmation.exe MD5: 78D9EADC9FCC580239B360FFA2C2220F)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • chkdsk.exe (PID: 5072 cmdline: C:\Windows\SysWOW64\chkdsk.exe MD5: 2D5A2497CB57C374B3AE3080FF9186FB)
          • cmd.exe (PID: 7024 cmdline: /c del 'C:\Users\user\Desktop\Booking Confirmation.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18409:$sqlite3step: 68 34 1C 7B E1
      • 0x1851c:$sqlite3step: 68 34 1C 7B E1
      • 0x18438:$sqlite3text: 68 38 2A 90 C5
      • 0x1855d:$sqlite3text: 68 38 2A 90 C5
      • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
      00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 18 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        5.2.Booking Confirmation.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.Booking Confirmation.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          5.2.Booking Confirmation.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18409:$sqlite3step: 68 34 1C 7B E1
          • 0x1851c:$sqlite3step: 68 34 1C 7B E1
          • 0x18438:$sqlite3text: 68 38 2A 90 C5
          • 0x1855d:$sqlite3text: 68 38 2A 90 C5
          • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
          0.2.Booking Confirmation.exe.36e45e0.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            0.2.Booking Confirmation.exe.36e45e0.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x13bbb8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x13be32:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x1689f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x168c72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x147955:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x174795:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x147441:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x174281:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x147a57:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x174897:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x147bcf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x174a0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x13c84a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x16968a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1466bc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x1734fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x13d543:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x16a383:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x14d5f7:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x17a437:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x14e5fa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 8 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.evolvekitchendesign.com/ffw/"], "decoy": ["unmutedgenerations.com", "localmoversuae.com", "centralrea.com", "geyyfphzoe.com", "silverpackfactory.com", "techtronixx.com", "shop-deinen-deal.com", "buehne.cloud", "inspirefreedomtoday.com", "chapelcouture.com", "easton-taiwan.com", "quanaonudep.store", "merzigomusic.com", "wpzoomin.com", "service-lkytrsahdfpedf.com", "yeasuc.com", "mydogtrainingservice.com", "galeribisnisonline.com", "cscremodeling.com", "bom-zzxx.com", "ensobet88.com", "vegancto.com", "digivisiol.com", "advancetools.net", "gzqyjd.com", "xtgnsl.com", "ftfortmyers.com", "g-siqueira.com", "ufdzbhrxk.icu", "tiekotiin.com", "youschrutedit.com", "takahatadenkikouji.com", "goodfastco.com", "jtelitetraining.com", "planet-hype.com", "gigwindow.com", "levelxpr.com", "besttechmobcomm.info", "funneldesigngenie.com", "mylisting.cloud", "alltwoyou.com", "mortgagesandprotection.online", "monthlydigest.info", "senlangdq.com", "postphenomenon.com", "slymwhite.com", "masonpreschool.com", "wahooshop.com", "meridiangummies.com", "samsungpartsdept.com", "saludbellezaybienestar.net", "vickifoxproductions.com", "shawandwesson.info", "nutrepele.com", "gorillatanks.com", "praktijkinfinity.online", "lanteredam.com", "refinedmanagement.com", "tiwapay.com", "fruitsinbeers.com", "charliekay.net", "realironart.com", "sonsofmari.com", "kedingtonni.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: Booking Confirmation.exeReversingLabs: Detection: 33%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: Booking Confirmation.exeJoe Sandbox ML: detected
            Source: 5.2.Booking Confirmation.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: Booking Confirmation.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: Booking Confirmation.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: chkdsk.pdbGCTL source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: chkdsk.pdb source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdbUGP source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Booking Confirmation.exe, chkdsk.exe
            Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 34.102.136.180:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.evolvekitchendesign.com/ffw/
            Source: global trafficHTTP traffic detected: GET /ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.buehne.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.praktijkinfinity.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ffw/?MZg8=vCSLLgJGCp79MzLYydBa+Bsk3bm2BxHz5ofTxOlO5FwRAAdXOpMXkN2jq+v+BBk+R2pe&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.localmoversuae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewASN Name: STRATOSTRATOAGDE STRATOSTRATOAGDE
            Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
            Source: global trafficHTTP traffic detected: GET /ffw/?MZg8=i2wbx/M7rrWGhnBeYdMUQ+oEsm11dU48NWkvE2U6RCUjjqrjMq6tqVdU8V2lO/H9m4oS&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.buehne.cloudConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.praktijkinfinity.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ffw/?MZg8=vCSLLgJGCp79MzLYydBa+Bsk3bm2BxHz5ofTxOlO5FwRAAdXOpMXkN2jq+v+BBk+R2pe&uTxXc=ojO0dJK0Hv HTTP/1.1Host: www.localmoversuae.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.buehne.cloud
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 23 Feb 2021 08:38:10 GMTServer: Apache/2Upgrade: h2,h2cConnection: Upgrade, closeAccept-Ranges: bytesVary: Accept-Encoding,User-AgentTransfer-Encoding: chunkedContent-Type: text/htmlData Raw: 39 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 0d 0a 38 62 0d 0a 2f 66 66 77 2f 3f 4d 5a 67 38 3d 51 74 71 54 77 32 47 79 59 78 66 32 57 79 52 46 74 70 6d 53 6d 4a 4a 76 68 6e 72 77 30 33 75 4e 52 4f 74 53 79 64 59 6e 4a 6b 33 4a 44 52 69 59 6b 36 62 73 76 58 57 67 74 75 66 35 74 6c 45 4a 63 4d 4e 2b 26 61 6d 70 3b 75 54 78 58 63 3d 6f 6a 4f 30 64 4a 4b 30 48 76 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 48 52 3e 0a 3c 49 3e 0d 0a 31 32 62 0d 0a 77 77 77 2e 70 72 61 6b 74 69 6a 6b 69 6e 66 69 6e 69 74 79 2e 6f 6e 6c 69 6e 65 3c 2f 49 3e 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 90<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD><BODY><H1>Not Found</H1>The requested URL 8b/ffw/?MZg8=QtqTw2GyYxf2WyRFtpmSmJJvhnrw03uNROtSydYnJk3JDRiYk6bsvXWgtuf5tlEJcMN+&amp;uTxXc=ojO0dJK0Hv was not found on this server.<HR><I>12bwww.praktijkinfinity.online</I></BODY></HTML>0
            Source: Booking Confirmation.exe, 00000000.00000003.650111317.0000000005725000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: explorer.exe, 00000006.00000002.914045803.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Booking Confirmation.exe, 00000000.00000003.653249672.0000000005728000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.651977805.0000000005727000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000003.652187363.0000000005726000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Booking Confirmation.exe, 00000000.00000003.652141962.0000000005728000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnE
            Source: Booking Confirmation.exe, 00000000.00000003.651858652.000000000572E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnht
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmp, Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.come
            Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coms
            Source: Booking Confirmation.exe, 00000000.00000003.649430535.0000000005723000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comt
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Booking Confirmation.exe, 00000000.00000003.651298106.000000000573B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comym
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Booking Confirmation.exe, 00000000.00000002.676021745.0000000006932000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.695698069.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            .NET source code contains very large stringsShow sources
            Source: Booking Confirmation.exe, LogIn.csLong String: Length: 13656
            Source: 0.0.Booking Confirmation.exe.2c0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 0.2.Booking Confirmation.exe.2c0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 4.0.Booking Confirmation.exe.2d0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 4.2.Booking Confirmation.exe.2d0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 5.0.Booking Confirmation.exe.dc0000.0.unpack, LogIn.csLong String: Length: 13656
            Source: 5.2.Booking Confirmation.exe.dc0000.1.unpack, LogIn.csLong String: Length: 13656
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00419D60 NtCreateFile,5_2_00419D60
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00419E10 NtReadFile,5_2_00419E10
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00419E90 NtClose,5_2_00419E90
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00419F40 NtAllocateVirtualMemory,5_2_00419F40
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00419D62 NtCreateFile,5_2_00419D62
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00419D1C NtCreateFile,5_2_00419D1C
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00419DB2 NtReadFile,5_2_00419DB2
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00419E0A NtReadFile,5_2_00419E0A
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A99A0 NtCreateSection,LdrInitializeThunk,5_2_018A99A0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_018A9910
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A98F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_018A98F0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9840 NtDelayExecution,LdrInitializeThunk,5_2_018A9840
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9860 NtQuerySystemInformation,LdrInitializeThunk,5_2_018A9860
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_018A9A00
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9A20 NtResumeThread,LdrInitializeThunk,5_2_018A9A20
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9A50 NtCreateFile,LdrInitializeThunk,5_2_018A9A50
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A95D0 NtClose,LdrInitializeThunk,5_2_018A95D0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9540 NtReadFile,LdrInitializeThunk,5_2_018A9540
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9780 NtMapViewOfSection,LdrInitializeThunk,5_2_018A9780
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A97A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_018A97A0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9710 NtQueryInformationToken,LdrInitializeThunk,5_2_018A9710
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A96E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_018A96E0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_018A9660
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A99D0 NtCreateProcessEx,5_2_018A99D0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9950 NtQueueApcThread,5_2_018A9950
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A98A0 NtWriteVirtualMemory,5_2_018A98A0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9820 NtEnumerateKey,5_2_018A9820
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018AB040 NtSuspendThread,5_2_018AB040
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018AA3B0 NtGetContextThread,5_2_018AA3B0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9B00 NtSetValueKey,5_2_018A9B00
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9A80 NtOpenDirectoryObject,5_2_018A9A80
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9A10 NtQuerySection,5_2_018A9A10
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A95F0 NtQueryInformationFile,5_2_018A95F0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9520 NtWaitForSingleObject,5_2_018A9520
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018AAD30 NtSetContextThread,5_2_018AAD30
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9560 NtWriteFile,5_2_018A9560
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9FE0 NtCreateMutant,5_2_018A9FE0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018AA710 NtOpenProcessToken,5_2_018AA710
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9730 NtQueryVirtualMemory,5_2_018A9730
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9760 NtOpenProcess,5_2_018A9760
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018AA770 NtOpenThread,5_2_018AA770
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9770 NtSetInformationFile,5_2_018A9770
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A96D0 NtCreateKey,5_2_018A96D0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9610 NtEnumerateValueKey,5_2_018A9610
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9650 NtQueryValueKey,5_2_018A9650
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018A9670 NtQueryInformationProcess,5_2_018A9670
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D295D0 NtClose,LdrInitializeThunk,8_2_04D295D0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29540 NtReadFile,LdrInitializeThunk,8_2_04D29540
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D296D0 NtCreateKey,LdrInitializeThunk,8_2_04D296D0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D296E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_04D296E0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29650 NtQueryValueKey,LdrInitializeThunk,8_2_04D29650
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_04D29660
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29FE0 NtCreateMutant,LdrInitializeThunk,8_2_04D29FE0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29780 NtMapViewOfSection,LdrInitializeThunk,8_2_04D29780
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29710 NtQueryInformationToken,LdrInitializeThunk,8_2_04D29710
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29840 NtDelayExecution,LdrInitializeThunk,8_2_04D29840
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29860 NtQuerySystemInformation,LdrInitializeThunk,8_2_04D29860
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D299A0 NtCreateSection,LdrInitializeThunk,8_2_04D299A0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_04D29910
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29A50 NtCreateFile,LdrInitializeThunk,8_2_04D29A50
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D295F0 NtQueryInformationFile,8_2_04D295F0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29560 NtWriteFile,8_2_04D29560
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D2AD30 NtSetContextThread,8_2_04D2AD30
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29520 NtWaitForSingleObject,8_2_04D29520
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29670 NtQueryInformationProcess,8_2_04D29670
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29610 NtEnumerateValueKey,8_2_04D29610
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D297A0 NtUnmapViewOfSection,8_2_04D297A0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D2A770 NtOpenThread,8_2_04D2A770
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29770 NtSetInformationFile,8_2_04D29770
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29760 NtOpenProcess,8_2_04D29760
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D2A710 NtOpenProcessToken,8_2_04D2A710
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29730 NtQueryVirtualMemory,8_2_04D29730
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D298F0 NtReadVirtualMemory,8_2_04D298F0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D298A0 NtWriteVirtualMemory,8_2_04D298A0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D2B040 NtSuspendThread,8_2_04D2B040
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29820 NtEnumerateKey,8_2_04D29820
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D299D0 NtCreateProcessEx,8_2_04D299D0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29950 NtQueueApcThread,8_2_04D29950
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29A80 NtOpenDirectoryObject,8_2_04D29A80
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29A10 NtQuerySection,8_2_04D29A10
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29A00 NtProtectVirtualMemory,8_2_04D29A00
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29A20 NtResumeThread,8_2_04D29A20
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D2A3B0 NtGetContextThread,8_2_04D2A3B0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D29B00 NtSetValueKey,8_2_04D29B00
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04339D60 NtCreateFile,8_2_04339D60
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04339E10 NtReadFile,8_2_04339E10
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04339E90 NtClose,8_2_04339E90
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04339F40 NtAllocateVirtualMemory,8_2_04339F40
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04339D1C NtCreateFile,8_2_04339D1C
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04339D62 NtCreateFile,8_2_04339D62
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04339DB2 NtReadFile,8_2_04339DB2
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04339E0A NtReadFile,8_2_04339E0A
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 0_2_0247C2B00_2_0247C2B0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 0_2_024799900_2_02479990
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 0_2_002C379D0_2_002C379D
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 4_2_002D379D4_2_002D379D
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_004010305_2_00401030
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041E2125_2_0041E212
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041D3065_2_0041D306
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00402D905_2_00402D90
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041E5B75_2_0041E5B7
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041E5BA5_2_0041E5BA
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00409E405_2_00409E40
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00409E3B5_2_00409E3B
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041CFA65_2_0041CFA6
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00402FB05_2_00402FB0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0186F9005_2_0186F900
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018841205_2_01884120
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0187B0905_2_0187B090
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018920A05_2_018920A0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_019320A85_2_019320A8
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_019328EC5_2_019328EC
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_019210025_2_01921002
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0193E8245_2_0193E824
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0189EBB05_2_0189EBB0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0192DBD25_2_0192DBD2
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_01932B285_2_01932B28
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_019322AE5_2_019322AE
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018925815_2_01892581
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_019325DD5_2_019325DD
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0187D5E05_2_0187D5E0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_01932D075_2_01932D07
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_01860D205_2_01860D20
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_01931D555_2_01931D55
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0187841F5_2_0187841F
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0192D4665_2_0192D466
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_01931FF15_2_01931FF1
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_01932EF75_2_01932EF7
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0192D6165_2_0192D616
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_01886E305_2_01886E30
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00DC379D5_2_00DC379D
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DAD4668_2_04DAD466
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04CF841F8_2_04CF841F
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DB25DD8_2_04DB25DD
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04CFD5E08_2_04CFD5E0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D125818_2_04D12581
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DB1D558_2_04DB1D55
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DB2D078_2_04DB2D07
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04CE0D208_2_04CE0D20
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DB2EF78_2_04DB2EF7
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DAD6168_2_04DAD616
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D06E308_2_04D06E30
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DB1FF18_2_04DB1FF1
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DB28EC8_2_04DB28EC
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04CFB0908_2_04CFB090
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D120A08_2_04D120A0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DB20A88_2_04DB20A8
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DA10028_2_04DA1002
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DBE8248_2_04DBE824
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04CEF9008_2_04CEF900
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D041208_2_04D04120
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DB22AE8_2_04DB22AE
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DADBD28_2_04DADBD2
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D1EBB08_2_04D1EBB0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04DB2B288_2_04DB2B28
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433E5BA8_2_0433E5BA
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04322D908_2_04322D90
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04329E3B8_2_04329E3B
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04329E408_2_04329E40
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04322FB08_2_04322FB0
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433CFA68_2_0433CFA6
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433E2128_2_0433E212
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433D3068_2_0433D306
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: String function: 04CEB150 appears 35 times
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: String function: 0186B150 appears 35 times
            Source: Booking Confirmation.exeBinary or memory string: OriginalFilename vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameriched20.dllp( vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmpBinary or memory string: k,\\StringFileInfo\\000004B0\\OriginalFilename vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000000.00000000.646928778.00000000002C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000000.00000002.676504964.0000000006D10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000000.00000002.676596861.0000000006E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs Booking Confirmation.exe
            Source: Booking Confirmation.exeBinary or memory string: OriginalFilename vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000004.00000002.668906261.00000000002D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
            Source: Booking Confirmation.exeBinary or memory string: OriginalFilename vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000005.00000002.710181246.00000000015BC000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCHKDSK.EXEj% vs Booking Confirmation.exe
            Source: Booking Confirmation.exe, 00000005.00000002.709572293.0000000000DC2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
            Source: Booking Confirmation.exeBinary or memory string: OriginalFilenameIConnectionPoint.exe6 vs Booking Confirmation.exe
            Source: Booking Confirmation.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.709997867.0000000001500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.912607132.0000000004920000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.709520780.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.671285373.0000000003599000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.912770256.0000000004A80000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.912146154.0000000004320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.709963590.00000000014D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.Booking Confirmation.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Booking Confirmation.exe.36e45e0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 5.2.Booking Confirmation.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Booking Confirmation.exe.3739600.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Booking Confirmation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Booking Confirmation.exe, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.0.Booking Confirmation.exe.2c0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 0.2.Booking Confirmation.exe.2c0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 4.0.Booking Confirmation.exe.2d0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 4.2.Booking Confirmation.exe.2d0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 5.0.Booking Confirmation.exe.dc0000.0.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: 5.2.Booking Confirmation.exe.dc0000.1.unpack, LogIn.csBase64 encoded string: 'GIdDNNZNNNNRNNNN//8NNYtNNNNNNNNNDNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNtNNNNN4sht4NgNaAVotOGZ0uITucplOjpz9apzSgVTAuoz5iqPOvMFOlqJ4tnJ4tER9GVT1iMTHhQD0XWNNNNNNNNNODEDNNGNRQNViu868NNNNNNNNNNBNNNvRYNINNNPNNNNNTNNNNNNNNlw8NNNNtNNNNDNNNNNNNRDNtNNNNNtNNONNNNNNNNNNRNNNNNNNNNNPNNNNNNtNNNNNNNNZNDVHNNONNNONNNNNNRNNNRNNNNNNNNONNNNNNNNNNNNNNNUt/NNOCNNNNNRNNNBDQNNNNNNNNNNNNNNNNNNNNNNNNNTNNNNjNNNOpCjNNUNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNVNNNPNNNNNNNNNNNNNNNPPNNNRtNNNNNNNNNNNNNNP50MKu0NNNN0O8NNNNtNNNNVNNNNNVNNNNNNNNNNNNNNNNNNPNNNTNhpaAlLjNNNBDQNNNNDNNNNNDNNNNvNNNNNNNNNNNNNNNNNNONNNONYaWyoT9wNNNZNNNNNTNNNNNPNNNNWtNNNNNNNNNNNNNNNNNNDNNNDtNNNNNNNNNNNNNNNNNNNNPfCjNNNNNNNRtNNNNPNNHNhPHNNBjLNNNQNNNNNNNNNXD+NNP4NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNO4PXOLNNNbdWtNPXOpNNNbNXdMmTNNNPbNONNNRpkxNNNdNNtNNOUZnNNNXtNZNNNEmTjNNPbNRNNNRXuZjNDNDNNNNNDNNRDO+NDNNOT8pNNNXPvfNOvbGZNRNRNNNNNVNNORNstVNNNEiUDNNPtbeNNLdRmNONONNNNNQNNNENU4QNNNRok4NNNbXXjNTXuZjNDNDNNNNONNNRDO+ONNNOT8sNNNXPvfNOvbGZNVNCNNNNNHNNORNstHNNNDHXPNNNNbYOljuptRNNUQDODNNNvtuNNNXolVNNNcmVjNNPtjVtNHNNNDNNU4SNNNRPvfNOvbGZNRNPjNNNNLNNORNstLNNNDXXjNTXvVNNbNTNNNRXyMmQNNNOvtxNNNXqNLNNNXNOjNNOPbrNvtyNNNXXtNNRmNONNfNNNNUNNNENU4UNNNRPvfNOvbNRmNONNfNNNNUNNNENPtANNNTPvfNOvc+pwfNNUPNPNNNOUV7NNOjtNxNNNElBjNNpVNXNNNRXxbNNvtzNNNXNNZROFtENNNTNPbNNOZjONO0NNNNPNNNRDOmWjNNPtbTVYvPNDNtXWbONT8bNNNXXPxNNNbNNvtINNNTOPtHNNNTPjpbRjNNOtZbSDNNOvtFNNNTQNtbXtNNPt0WolfNNNbqzuZRRDEiYNNNPuhnRjHEOKV9NNOjTOvAStNNNFtgNNNXWuLbYtNNPtNdRmNSNWpNNNNWNNNENPtiNNNXN28jNNNXPjVPwzxK2cRspTRZNb5cS9LK2usJwF8NNNRANb5cS9bGOORRRjHJRjLeBtxEOtVEOcRVLDpEO5SugWjEOjAiZDNNPusn/tRGPORVRjxEPFjTSuZUNPfVNORUS9LGOjNEOusJRjLEOuRSZpNWNb5cTAbK1usnS9nAYjNNNFtlNNNXqNHNNOfXXjNTXtNGZNHNctNNNNbNNORNStfPomZNNNbGOkVUXQDNNNbZPNwLTgtAPEsnS9nAYjNNNEZRPOsnRjtJRjxeDjtK2uZXSuZYXl0PRDxEP281NNNXRjjFQPt2NNNXXQpNNNbJRDDUTvt4NNNXNNpn1tfEPksJRjfEPkRXZp0EPEsJRjxEPERVZopEOOLbBDNNPuZSRDHK2usJwF8NNNRGOuRRTuRTSuRTwzxbBNNNPtNEOtbeNNLdNNNGZNVNXNNNNNfNNORNN3WYNNOjXQbNNNbbBjNNPaZwNNNXPjpPomjNNNc0VtNNNDbeNNLdRmNRNRbNNNNZNNNENNWiZDNNPuuopm0NNNbYNz8kNNNXTAbZSt0eUjpPPEuiCtNNPu8DXQ8NNNbbDNNNPz9ONNNXWtxL1t0WPQUqO29PNNNXPvfNOvbNNOZjNDNUNNNNQDNNRDNHPvfNOvcTNNVJztVKztVLzvtENNNTNPbNNNNGZNZNVNNNNN4NNORNsttNNNE+PDNNOU4XNNNRXORNNNLNpwfNNUNXXjNTXuZjNtNFNNNNQjNNRDNPNluQNNNXXRDNNNbXXjNTXtNNRmNONNjNNNNDNNNENNVbEDNNPtbeNNLdRmNONONNNNNENNNENANWNNNPXPRNNNbXXjNTXuZjNDNZNNNNQtNNRDNPXRLNNNbXXjNTXuZjNtNqNNNNRtNNRDNPwNLNNOfH/tRYOljVXNRNNPfXXjHNNtbeNNLdWtNQ/uHTNNNoXvLNNvtzNNNXNPbNNNNGZNVNADNNNOZNNORNNagVNNNXo0xNNNbYO4jWNNNoSC4OQNtfSPtPNNNePjW7FNNNPtqiFtNNPtNNNNpXXjNTXyVNNvtzNNNXNNWmFjNNPa1VNNNXXv4bTNNNObNZNNNRXu4PXPLNNNbdNNOPH0cPNDNONNNNNNNZNNNNqwVhZP41ZQplAjNNNNNSNTjNNNPbPDNNV34NNODXNNOjPDNNV1A0pzyhM3ZNNNNNuOZNNTDNNNNwIIZN6OZNNONNNNNwE1IWENNNNCtGNNQ0ONNNV0Wfo2VNNNNNNNNNNtNNNIpIbtxWQjNNNCbOZjNJNNNONNNNBDNNNNfNNNNZNNNNVjNNNORNNNOYNNNNCjNNNOZNNNNTNNNNPtNNNNjNNNNWNNNNNDNNNNDNNNNONNNNNjNNNNZNNNNPNNNNNNNZODRNNNNNNNLNdtBJOjLNSjFJOjLNztYZOt8NQttNNNLN2jXzODLNwDBzODLN/tBzODLNltBzODLN4jBzODL
            Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@4/3
            Source: C:\Users\user\Desktop\Booking Confirmation.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Booking Confirmation.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_01
            Source: C:\Users\user\Desktop\Booking Confirmation.exeMutant created: \Sessions\1\BaseNamedObjects\YvCWoKEDmRL
            Source: Booking Confirmation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Booking Confirmation.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: Booking Confirmation.exe, 00000000.00000002.670983591.0000000002591000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: Booking Confirmation.exeReversingLabs: Detection: 33%
            Source: unknownProcess created: C:\Users\user\Desktop\Booking Confirmation.exe 'C:\Users\user\Desktop\Booking Confirmation.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe
            Source: unknownProcess created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\chkdsk.exe C:\Windows\SysWOW64\chkdsk.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Booking Confirmation.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exeJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess created: C:\Users\user\Desktop\Booking Confirmation.exe C:\Users\user\Desktop\Booking Confirmation.exeJump to behavior
            Source: C:\Windows\SysWOW64\chkdsk.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Booking Confirmation.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Booking Confirmation.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Booking Confirmation.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: chkdsk.pdbGCTL source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
            Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp
            Source: Binary string: chkdsk.pdb source: Booking Confirmation.exe, 00000005.00000002.710165046.00000000015A8000.00000004.00000020.sdmp
            Source: Binary string: wntdll.pdbUGP source: Booking Confirmation.exe, 00000005.00000002.710355206.000000000195F000.00000040.00000001.sdmp, chkdsk.exe, 00000008.00000002.912945622.0000000004CC0000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Booking Confirmation.exe, chkdsk.exe
            Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000002.922870771.0000000005A00000.00000002.00000001.sdmp

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: Booking Confirmation.exe, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.Booking Confirmation.exe.2c0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.Booking Confirmation.exe.2c0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.0.Booking Confirmation.exe.2d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 4.2.Booking Confirmation.exe.2d0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.0.Booking Confirmation.exe.dc0000.0.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 5.2.Booking Confirmation.exe.dc0000.1.unpack, BoundHandle.cs.Net Code: .ctor System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00417867 push edx; retf 5_2_00417869
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041B124 push 423E369Ah; iretd 5_2_0041B12B
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00416625 push ds; retf 5_2_00416626
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041CEB5 push eax; ret 5_2_0041CF08
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041CF6C push eax; ret 5_2_0041CF72
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041DF6E push ds; ret 5_2_0041DF77
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041CF02 push eax; ret 5_2_0041CF08
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_0041CF0B push eax; ret 5_2_0041CF72
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_00410FA6 push ebx; ret 5_2_00410FA7
            Source: C:\Users\user\Desktop\Booking Confirmation.exeCode function: 5_2_018BD0D1 push ecx; ret 5_2_018BD0E4
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04D3D0D1 push ecx; ret 8_2_04D3D0E4
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04336625 push ds; retf 8_2_04336626
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433CEB5 push eax; ret 8_2_0433CF08
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433CF02 push eax; ret 8_2_0433CF08
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433CF0B push eax; ret 8_2_0433CF72
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433DF6E push ds; ret 8_2_0433DF77
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433CF6C push eax; ret 8_2_0433CF72
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04330FA6 push ebx; ret 8_2_04330FA7
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_04337867 push edx; retf 8_2_04337869
            Source: C:\Windows\SysWOW64\chkdsk.exeCode function: 8_2_0433B124 push 423E369Ah; iretd 8_2_0433B12B
            Source: initial sampleStatic PE information: section name: .text entropy: 7.4686220922

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8F 0xFE 0xE0
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Booking Confirmation.exeProcess information set: NOOPENFILEERRORBOX