Loading ...

Play interactive tourEdit tour

Analysis Report 0O9BJfVJi6fEMoS.exe

Overview

General Information

Sample Name:0O9BJfVJi6fEMoS.exe
Analysis ID:356555
MD5:18ec78e09155c046a203fb4dcbc3593f
SHA1:40e67eef7c001a8752763616fc9a58170721c27a
SHA256:01c5ac824171a164473d92187f8031f2bc7103397fe534f56771d8e9589445e0
Tags:exeFormbookYahoo

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 0O9BJfVJi6fEMoS.exe (PID: 7028 cmdline: 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe' MD5: 18EC78E09155C046A203FB4DCBC3593F)
    • 0O9BJfVJi6fEMoS.exe (PID: 3492 cmdline: {path} MD5: 18EC78E09155C046A203FB4DCBC3593F)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 6664 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • explorer.exe (PID: 6700 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 6812 cmdline: /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.besteprobioticakopen.online/uszn/"], "decoy": ["animegriptape.com", "pcpnetworks.com", "putupmybabyforadoption.com", "xn--jvrr98g37n88d.com", "fertinvitro.doctor", "undonethread.com", "avoleague.com", "sissysundays.com", "guilhermeoliveiro.site", "catholicon-bespeckle.info", "mardesuenosfundacion.com", "songkhoe24.site", "shoecityindia.com", "smallbathroomdecor.info", "tskusa.com", "prairiespringsllc.com", "kegncoffee.com", "clicklounge.xyz", "catholicendoflifeplanning.com", "steelobzee.com", "xiknekiterapia.com", "whereinthezooareyou.com", "maglex.info", "dango3.net", "sqjqw4.com", "theparadisogroup.com", "karthikeyainfraindia.com", "luewevedre.com", "helpwithmynutrition.com", "lengyue.cool", "pbipropertiesllc.com", "glidedisc.com", "sz-rhwjkj.com", "776fx.com", "kamanantzin.com", "grandwhale.com", "trump2020shop.net", "gentilelibri.com", "jarliciouslounge.com", "dgcsales.net", "hypno.doctor", "holidayinnindyairportnorth.com", "buysellleasewithlisa.com", "girishastore.com", "tinynucleargenerators.com", "crystalphoenixltd.com", "lapplify.com", "bailbondinazusa.com", "michaelmery.com", "tripleecoaching.com", "fastenerspelosato.net", "horisan-touki.com", "marketingavacado.com", "centrebiozeina.com", "xn--3etz63bc5ck9c.com", "rhemachurch4u.com", "homeschoolangel.com", "romeysworld.com", "themixedveggies.com", "queendreea.club", "epedalflorida.com", "blutreemg.com", "nongfupingtai.com", "shikshs.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0xaee68:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xaf1f2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xd6288:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xd6612:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0xbaf05:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xe2325:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0xba9f1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xe1e11:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0xbb007:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xe2427:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0xbb17f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xe259f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xafc0a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xd702a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0xb9c6c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xe108c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb0982:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xd7da2:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0xbfff7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xe7417:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0xc109a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.besteprobioticakopen.online/uszn/Avira URL Cloud: Label: malware
          Source: http://www.besteprobioticakopen.online/uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoXAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.besteprobioticakopen.online/uszn/"], "decoy": ["animegriptape.com", "pcpnetworks.com", "putupmybabyforadoption.com", "xn--jvrr98g37n88d.com", "fertinvitro.doctor", "undonethread.com", "avoleague.com", "sissysundays.com", "guilhermeoliveiro.site", "catholicon-bespeckle.info", "mardesuenosfundacion.com", "songkhoe24.site", "shoecityindia.com", "smallbathroomdecor.info", "tskusa.com", "prairiespringsllc.com", "kegncoffee.com", "clicklounge.xyz", "catholicendoflifeplanning.com", "steelobzee.com", "xiknekiterapia.com", "whereinthezooareyou.com", "maglex.info", "dango3.net", "sqjqw4.com", "theparadisogroup.com", "karthikeyainfraindia.com", "luewevedre.com", "helpwithmynutrition.com", "lengyue.cool", "pbipropertiesllc.com", "glidedisc.com", "sz-rhwjkj.com", "776fx.com", "kamanantzin.com", "grandwhale.com", "trump2020shop.net", "gentilelibri.com", "jarliciouslounge.com", "dgcsales.net", "hypno.doctor", "holidayinnindyairportnorth.com", "buysellleasewithlisa.com", "girishastore.com", "tinynucleargenerators.com", "crystalphoenixltd.com", "lapplify.com", "bailbondinazusa.com", "michaelmery.com", "tripleecoaching.com", "fastenerspelosato.net", "horisan-touki.com", "marketingavacado.com", "centrebiozeina.com", "xn--3etz63bc5ck9c.com", "rhemachurch4u.com", "homeschoolangel.com", "romeysworld.com", "themixedveggies.com", "queendreea.club", "epedalflorida.com", "blutreemg.com", "nongfupingtai.com", "shikshs.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 0O9BJfVJi6fEMoS.exeReversingLabs: Detection: 21%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: explorer.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 0O9BJfVJi6fEMoS.exe, explorer.exe
          Source: Binary string: explorer.pdb source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 4x nop then pop edi6_2_0040C3CB
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi11_2_0097C3CB

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 184.106.16.223:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 184.106.16.223:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49764 -> 184.106.16.223:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 202.66.173.116:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 202.66.173.116:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49766 -> 202.66.173.116:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 94.23.162.163:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 94.23.162.163:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49770 -> 94.23.162.163:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.besteprobioticakopen.online/uszn/
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoX HTTP/1.1Host: www.fastenerspelosato.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoX HTTP/1.1Host: www.sissysundays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX HTTP/1.1Host: www.whereinthezooareyou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX HTTP/1.1Host: www.fertinvitro.doctorConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoX HTTP/1.1Host: www.dgcsales.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX HTTP/1.1Host: www.horisan-touki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoX HTTP/1.1Host: www.karthikeyainfraindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX HTTP/1.1Host: www.buysellleasewithlisa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX HTTP/1.1Host: www.besteprobioticakopen.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 35.246.6.109 35.246.6.109
          Source: Joe Sandbox ViewASN Name: NETMAGIC-APNetmagicDatacenterMumbaiIN NETMAGIC-APNetmagicDatacenterMumbaiIN
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=ilzBSMt+mC5PnIueaE0o4kFNHHW8rQxTZUVxaBcrk7HNT8xc6ayAEkd5Nrf40/DEmyGF&ofrxU=yVMtQLoX HTTP/1.1Host: www.fastenerspelosato.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=52ikA0v5VO8qsylJfSO1DetMiatJe0E1D9rBoJ+nHZYmtxf70roQflY+S8wYouTF3o6y&ofrxU=yVMtQLoX HTTP/1.1Host: www.sissysundays.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=lR8nCh02VBrVevH9DBfx7BVzy1/OBYfsNcE9m+G8n0i7QYmfgEfs3uLKSpan4882ouVy&ofrxU=yVMtQLoX HTTP/1.1Host: www.whereinthezooareyou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=z5jHb1CZWrsr2p16zetrIsrl3FBZKeiByVV0oSV+dvaqVG1rneJc4YmewlelB8A40GEQ&ofrxU=yVMtQLoX HTTP/1.1Host: www.fertinvitro.doctorConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=hu5lsjyQ8jtyvTSzqUKsO9FdlIq7HJAoGWXF85Byxyx8kG/0QeCZ2D448NGSTsl89HtB&ofrxU=yVMtQLoX HTTP/1.1Host: www.dgcsales.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=QfBSKsl5Vu8QEYvg6r6EpYBO+tHghinNKHDEOdj6/CEQOiVDlwCi9gx1TH+D8HDA3Ujy&ofrxU=yVMtQLoX HTTP/1.1Host: www.horisan-touki.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=L/tqFlZRmZhJZD1iC7RgW0bOgnRBAskMdyXY70yD3QYv5j7RY53hkHd2ZTpB0JeH3WIq&ofrxU=yVMtQLoX HTTP/1.1Host: www.karthikeyainfraindia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=mPpTgQkduQgKd9eKHDnKxG7Zl5xM97I2KtefNy7cE9uF2W6RPqZ+V0j9JFBrxigWFYGz&ofrxU=yVMtQLoX HTTP/1.1Host: www.buysellleasewithlisa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /uszn/?I48=5LoNRXVM8eyE2Me8xFE40xCr0JzPAOX0MOzM3KUbBxAS8JEwG8sqp8Wi1O663rh9uwDV&ofrxU=yVMtQLoX HTTP/1.1Host: www.besteprobioticakopen.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.fastenerspelosato.net
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlServer: Microsoft-IIS/8.0X-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Tue, 23 Feb 2021 09:08:03 GMTConnection: closeContent-Length: 1245Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 69 73 6f 2d 38 38 35 39 2d 31 22 2f 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 46 69 6c 65 20 6f 72 20 64 69 72 65 63 74 6f 72 79 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0d 0a 3c 21 2d 2d 0d 0a 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 2d 73 69 7a 65 3a 2e 37 65 6d 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 56 65 72 64 61 6e 61 2c 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 45 45 45 45 45 45 3b 7d 0d 0a 66 69 65 6c 64 73 65 74 7b 70 61 64 64 69 6e 67 3a 30 20 31 35 70 78 20 31 30 70 78 20 31 35 70 78 3b 7d 20 0d 0a 68 31 7b 66 6f 6e 74 2d 73 69 7a 65 3a 32 2e 34 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 7d 0d 0a 68 32 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 37 65 6d 3b 6d 61 72 67 69 6e 3a 30 3b 63 6f 6c 6f 72 3a 23 43 43 30 30 30 30 3b 7d 20 0d 0a 68 33 7b 66 6f 6e 74 2d 73 69 7a 65 3a 31 2e 32 65 6d 3b 6d 61 72 67 69 6e 3a 31 30 70 78 20 30 20 30 20 30 3b 63 6f 6c 6f 72 3a 23 30 30 30 30 30 30 3b 7d 20 0d 0a 23 68 65 61 64 65 72 7b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 30 3b 70 61 64 64 69 6e 67 3a 36 70 78 20 32 25 20 36 70 78 20 32 25 3b 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 74 72 65 62 75 63 68 65 74 20 4d 53 22 2c 20 56 65 72 64 61 6e 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 63 6f 6c 6f 72 3a 23 46 46 46 3b 0d 0a 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 35 35 35 35 35 35 3b 7d 0d 0a 23 63 6f 6e 74 65 6e 74 7b 6d 61 72 67 69 6e 3a 30 20 30 20 30 20 32 25 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2e 63 6f 6e 74 65 6e 74 2d 63 6f 6e 74 61 69 6e 65 72 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 46 46 46 3b 77 69 64 74 68 3a 39 36 25 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 38 70 78 3b 70 61 64 64 69 6e 67 3a 31 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 7d 0d 0a 2d 2d 3e 0d 0a 3c 2f 73 74 79 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 64 69 76 20 69 64 3d 22
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://code.google.com/feeds/p/topicalmemorysystem/downloads/basic.xml
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://code.google.com/p/topicalmemorysystem/
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://topicalmemorysystem.googlecode.com/files/
          Source: explorer.exe, 00000007.00000002.913073739.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.biblegateway.com/passage/?search=
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.biblija.net/biblija.cgi?m=
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.blueletterbible.org/Bible.cfm?b=
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.esvstudybible.org/search?q=
          Source: 0O9BJfVJi6fEMoS.exeString found in binary or memory: http://www.esvstudybible.org/search?q=Whttp://www.blueletterbible.org/Bible.cfm?b=
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.694922945.0000000006D62000.00000004.00000001.sdmp, explorer.exe, 00000007.00000000.715777408.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: explorer.exe, 0000000B.00000002.915089078.00000000056C2000.00000004.00000001.sdmpString found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=grandwhale&e=com
          Source: explorer.exe, 0000000B.00000002.915089078.00000000056C2000.00000004.00000001.sdmpString found in binary or memory: https://www.hugedomains.com/domain_profile.cfm?d=grandwhale&e=com

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004181B0 NtCreateFile,6_2_004181B0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00418260 NtReadFile,6_2_00418260
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004182E0 NtClose,6_2_004182E0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00418390 NtAllocateVirtualMemory,6_2_00418390
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004181AC NtCreateFile,6_2_004181AC
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00418262 NtReadFile,6_2_00418262
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004182DA NtClose,6_2_004182DA
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_01679910
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016799A0 NtCreateSection,LdrInitializeThunk,6_2_016799A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679860 NtQuerySystemInformation,LdrInitializeThunk,6_2_01679860
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679840 NtDelayExecution,LdrInitializeThunk,6_2_01679840
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016798F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_016798F0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A50 NtCreateFile,LdrInitializeThunk,6_2_01679A50
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A20 NtResumeThread,LdrInitializeThunk,6_2_01679A20
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_01679A00
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679540 NtReadFile,LdrInitializeThunk,6_2_01679540
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016795D0 NtClose,LdrInitializeThunk,6_2_016795D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679710 NtQueryInformationToken,LdrInitializeThunk,6_2_01679710
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679FE0 NtCreateMutant,LdrInitializeThunk,6_2_01679FE0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016797A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_016797A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679780 NtMapViewOfSection,LdrInitializeThunk,6_2_01679780
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_01679660
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016796E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_016796E0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679950 NtQueueApcThread,6_2_01679950
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016799D0 NtCreateProcessEx,6_2_016799D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167B040 NtSuspendThread,6_2_0167B040
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679820 NtEnumerateKey,6_2_01679820
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016798A0 NtWriteVirtualMemory,6_2_016798A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679B00 NtSetValueKey,6_2_01679B00
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167A3B0 NtGetContextThread,6_2_0167A3B0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A10 NtQuerySection,6_2_01679A10
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679A80 NtOpenDirectoryObject,6_2_01679A80
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679560 NtWriteFile,6_2_01679560
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679520 NtWaitForSingleObject,6_2_01679520
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167AD30 NtSetContextThread,6_2_0167AD30
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016795F0 NtQueryInformationFile,6_2_016795F0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679760 NtOpenProcess,6_2_01679760
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167A770 NtOpenThread,6_2_0167A770
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679770 NtSetInformationFile,6_2_01679770
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679730 NtQueryVirtualMemory,6_2_01679730
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0167A710 NtOpenProcessToken,6_2_0167A710
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679670 NtQueryInformationProcess,6_2_01679670
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679650 NtQueryValueKey,6_2_01679650
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01679610 NtEnumerateValueKey,6_2_01679610
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016796D0 NtCreateKey,6_2_016796D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_05079910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079540 NtReadFile,LdrInitializeThunk,11_2_05079540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050799A0 NtCreateSection,LdrInitializeThunk,11_2_050799A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050795D0 NtClose,LdrInitializeThunk,11_2_050795D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079840 NtDelayExecution,LdrInitializeThunk,11_2_05079840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079860 NtQuerySystemInformation,LdrInitializeThunk,11_2_05079860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079710 NtQueryInformationToken,LdrInitializeThunk,11_2_05079710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079780 NtMapViewOfSection,LdrInitializeThunk,11_2_05079780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079FE0 NtCreateMutant,LdrInitializeThunk,11_2_05079FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A50 NtCreateFile,LdrInitializeThunk,11_2_05079A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079650 NtQueryValueKey,LdrInitializeThunk,11_2_05079650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_05079660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050796D0 NtCreateKey,LdrInitializeThunk,11_2_050796D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050796E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_050796E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079520 NtWaitForSingleObject,11_2_05079520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507AD30 NtSetContextThread,11_2_0507AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079950 NtQueueApcThread,11_2_05079950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079560 NtWriteFile,11_2_05079560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050799D0 NtCreateProcessEx,11_2_050799D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050795F0 NtQueryInformationFile,11_2_050795F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079820 NtEnumerateKey,11_2_05079820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507B040 NtSuspendThread,11_2_0507B040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050798A0 NtWriteVirtualMemory,11_2_050798A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050798F0 NtReadVirtualMemory,11_2_050798F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079B00 NtSetValueKey,11_2_05079B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507A710 NtOpenProcessToken,11_2_0507A710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079730 NtQueryVirtualMemory,11_2_05079730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079760 NtOpenProcess,11_2_05079760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079770 NtSetInformationFile,11_2_05079770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507A770 NtOpenThread,11_2_0507A770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050797A0 NtUnmapViewOfSection,11_2_050797A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0507A3B0 NtGetContextThread,11_2_0507A3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A00 NtProtectVirtualMemory,11_2_05079A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079610 NtEnumerateValueKey,11_2_05079610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A10 NtQuerySection,11_2_05079A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A20 NtResumeThread,11_2_05079A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079670 NtQueryInformationProcess,11_2_05079670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05079A80 NtOpenDirectoryObject,11_2_05079A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009881B0 NtCreateFile,11_2_009881B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009882E0 NtClose,11_2_009882E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00988260 NtReadFile,11_2_00988260
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00988390 NtAllocateVirtualMemory,11_2_00988390
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009881AC NtCreateFile,11_2_009881AC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_009882DA NtClose,11_2_009882DA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00988262 NtReadFile,11_2_00988262
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 0_2_0103D20C0_2_0103D20C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 0_2_0103F2C00_2_0103F2C0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 0_2_0103F2D00_2_0103F2D0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004010296_2_00401029
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004010306_2_00401030
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00408C4B6_2_00408C4B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00408C506_2_00408C50
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B5366_2_0041B536
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00402D906_2_00402D90
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041C5B76_2_0041C5B7
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B7D26_2_0041B7D2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00402FB06_2_00402FB0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016541206_2_01654120
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0163F9006_2_0163F900
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016F10026_2_016F1002
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017028EC6_2_017028EC
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016620A06_2_016620A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017020A86_2_017020A8
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164B0906_2_0164B090
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01702B286_2_01702B28
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FDBD26_2_016FDBD2
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0166EBB06_2_0166EBB0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017022AE6_2_017022AE
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01701D556_2_01701D55
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01630D206_2_01630D20
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01702D076_2_01702D07
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164D5E06_2_0164D5E0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_017025DD6_2_017025DD
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016625816_2_01662581
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FD4666_2_016FD466
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0164841F6_2_0164841F
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01701FF16_2_01701FF1
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01656E306_2_01656E30
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_016FD6166_2_016FD616
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_01702EF76_2_01702EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0503F90011_2_0503F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05102D0711_2_05102D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05030D2011_2_05030D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0505412011_2_05054120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05101D5511_2_05101D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506258111_2_05062581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051025DD11_2_051025DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504D5E011_2_0504D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050F100211_2_050F1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504841F11_2_0504841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0504B09011_2_0504B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050620A011_2_050620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051020A811_2_051020A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051028EC11_2_051028EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05102B2811_2_05102B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0506EBB011_2_0506EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_050FDBD211_2_050FDBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05101FF111_2_05101FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05056E3011_2_05056E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_051022AE11_2_051022AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_05102EF711_2_05102EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00978C5011_2_00978C50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00978C4B11_2_00978C4B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00972D9011_2_00972D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098C5B711_2_0098C5B7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B53611_2_0098B536
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00972FB011_2_00972FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0503B150 appears 35 times
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: String function: 0163B150 appears 35 times
          Source: 0O9BJfVJi6fEMoS.exeBinary or memory string: OriginalFilename vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.686761788.00000000006E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.695770371.0000000008A00000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exeBinary or memory string: OriginalFilename vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000005.00000000.684507893.0000000000312000.00000002.00020000.sdmpBinary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exeBinary or memory string: OriginalFilename vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.730975183.0000000000AA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.732802577.000000000172F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exe, 00000006.00000003.730245049.00000000039AE000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exeBinary or memory string: OriginalFilename5uogbG vs 0O9BJfVJi6fEMoS.exe
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.910849108.0000000000970000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.730806558.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.911281407.0000000000FB0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.732150923.00000000010C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.732300917.0000000001110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.689872337.0000000003CC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.911225919.0000000000F80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.0O9BJfVJi6fEMoS.exe.3d11730.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 6.2.0O9BJfVJi6fEMoS.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0O9BJfVJi6fEMoS.exe, 00000000.00000002.696031440.0000000008C80000.00000004.00000001.sdmpBinary or memory string: ^.vBpq
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@12/9
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0O9BJfVJi6fEMoS.exe.logJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeMutant created: \Sessions\1\BaseNamedObjects\TwFbGi
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6824:120:WilError_01
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: 0O9BJfVJi6fEMoS.exeReversingLabs: Detection: 21%
          Source: unknownProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess created: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe'Jump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 0O9BJfVJi6fEMoS.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.732550981.0000000001610000.00000040.00000001.sdmp, explorer.exe, 0000000B.00000002.914570132.000000000512F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 0O9BJfVJi6fEMoS.exe, explorer.exe
          Source: Binary string: explorer.pdb source: 0O9BJfVJi6fEMoS.exe, 00000006.00000002.733414389.00000000032E0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000007.00000000.705470471.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 0_2_051E1598 push eax; mov dword ptr [esp], ecx0_2_051E159C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0040BAA8 push ebp; iretd 6_2_0040BAAA
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B3F2 push eax; ret 6_2_0041B3F8
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B3FB push eax; ret 6_2_0041B462
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041C399 push edi; ret 6_2_0041C39B
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B3A5 push eax; ret 6_2_0041B3F8
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041B45C push eax; ret 6_2_0041B462
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00415554 push cs; iretd 6_2_00415555
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0041CE23 push esp; ret 6_2_0041CF5C
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_00413755 push eax; retf 6_2_00413757
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_0168D0D1 push ecx; ret 6_2_0168D0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0508D0D1 push ecx; ret 11_2_0508D0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0097BAA8 push ebp; iretd 11_2_0097BAAA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098C399 push edi; ret 11_2_0098C39B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B3A5 push eax; ret 11_2_0098B3F8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B3FB push eax; ret 11_2_0098B462
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B3F2 push eax; ret 11_2_0098B3F8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098B45C push eax; ret 11_2_0098B462
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00985554 push cs; iretd 11_2_00985555
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0098CE23 push esp; ret 11_2_0098CF5C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_00983755 push eax; retf 11_2_00983757
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeRDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeRDTSC instruction interceptor: First address: 000000000040896E second address: 0000000000408974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000009785E4 second address: 00000000009785EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 000000000097896E second address: 0000000000978974 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeCode function: 6_2_004088A0 rdtsc 6_2_004088A0
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Users\user\Desktop\0O9BJfVJi6fEMoS.exe TID: 7056Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exe TID: 5856Thread sleep time: -45000s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\explorer.exe TID: 6188Thread sleep time: -40000s >= -30000sJump to behavior
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
          Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000007.00000000.710461036.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.705821818.0000000006650000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.710461036.000000000A60E000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000007.00000000.717818953.000000000FC96000.00000004.00000001.sdmpBinary or memory string: _VMware_SATA_CD00#5&
          Source: explorer.exe, 00000007.00000002.920387906.0000000004710000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000[Wm
          Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000007.00000000.711037304.000000000A716000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000/
          Source: explorer.exe, 00000007.00000002.923576890.00000000058C0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000007.00000000.711186736.000000000A784000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000@
          Source