Loading ...

Play interactive tourEdit tour

Analysis Report AQJEKNHnWK.exe

Overview

General Information

Sample Name:AQJEKNHnWK.exe
Analysis ID:383851
MD5:5d8702803555ff684424ebd13eda9f47
SHA1:f8b1197457782ba958fc7178fb838119c8138374
SHA256:f7e96b7c6612b709e413bbc8c72796cadbb7ce91ed17ec77d5ba4d4422e729cb
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Contains functionality to prevent local Windows debugging
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • AQJEKNHnWK.exe (PID: 1724 cmdline: 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: 5D8702803555FF684424EBD13EDA9F47)
    • AQJEKNHnWK.exe (PID: 4772 cmdline: 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: 5D8702803555FF684424EBD13EDA9F47)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 1156 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 5560 cmdline: /c del 'C:\Users\user\Desktop\AQJEKNHnWK.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4228 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.AQJEKNHnWK.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.AQJEKNHnWK.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.AQJEKNHnWK.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        1.1.AQJEKNHnWK.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.AQJEKNHnWK.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.th0rgramm.com/hx3a/"], "decoy": ["xn--ol-xia.com", "gracieleesgiftsandmore.com", "invenufas.com", "nexgencoder.com", "virginiabrightseleccion.com", "selectenergyservicestx.com", "warchocki.com", "xn--comercialvioo-tkb.website", "losangelesbraiders.com", "skaraonline.com", "freeworldsin.com", "jabberjawmobile.com", "orgoneartist.com", "xyfzfl.com", "arooko.com", "investmentpartners.limited", "ugonget.com", "ringforklift.com", "recovatek.com", "bukannyaterbuai24.com", "formula-kuhni.com", "cyfss.com", "stkify.com", "aksharnewtown.com", "libroricardoanaya.com", "phillhutt.com", "mywinnersworld.com", "school17obn.com", "cocoshop.info", "netzcorecloud.com", "bookbeachchairs.com", "summitsolutionsnow.com", "yakudatsu-hikaku.com", "elitedrive.net", "jjwheelerphotography.com", "motcamket.com", "hatikuturkila.com", "tonton-koubou.com", "roughcuttavernorder.com", "leagueofconsciouscreatives.com", "worldsabroad.com", "ezmodafinil.com", "apettelp.club", "xn--jvrr98g37n88d.com", "gobiodisc.com", "alliedcds.com", "jillspickles.com", "alfenas.info", "herbalyesman.xyz", "sugary-sweet.com", "rigscart.com", "curiget.xyz", "stacksyspro.net", "sxqyws.net", "solocubiertos.com", "actuualizarinfruma.com", "thecurmudgeonsspeakout.com", "paydaegitimkurumlari.com", "sellingdealsinheels.com", "dezhou8.xyz", "thelitigatorsbookclub.com", "rainbowsdepot.com", "serenityislegalveston.com", "contactredzonetalent.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dllReversingLabs: Detection: 20%
          Multi AV Scanner detection for submitted fileShow sources
          Source: AQJEKNHnWK.exeVirustotal: Detection: 18%Perma Link
          Source: AQJEKNHnWK.exeReversingLabs: Detection: 35%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE
          Source: 7.2.explorer.exe.2d564d0.3.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 7.2.explorer.exe.4e47960.6.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: AQJEKNHnWK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: explorer.pdbUGP source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: AQJEKNHnWK.exe, 00000000.00000003.210067388.000000001F0E0000.00000004.00000001.sdmp, AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmp, explorer.exe, 00000007.00000002.473937643.0000000004A2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: AQJEKNHnWK.exe, explorer.exe
          Source: Binary string: explorer.pdb source: AQJEKNHnWK.exe, 00000001.00000002.256768707.00000000026C0000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405301 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,SetFileAttributesA,RemoveDirectoryA,0_2_00405301
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00405C94 SetErrorMode,SetErrorMode,FindFirstFileA,SetErrorMode,FindClose,0_2_00405C94
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004026BC FindFirstFileA,0_2_004026BC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 4x nop then pop edi1_2_0040C3C1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 4x nop then pop edi1_1_0040C3C1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi7_2_004EC3C1

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49724 -> 23.227.38.74:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.th0rgramm.com/hx3a/
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1Host: www.mywinnersworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1Host: www.gracieleesgiftsandmore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1Host: www.phillhutt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: Joe Sandbox ViewASN Name: DXTL-HKDXTLTseungKwanOServiceHK DXTL-HKDXTLTseungKwanOServiceHK
          Source: Joe Sandbox ViewASN Name: WEBHOST1-ASRU WEBHOST1-ASRU
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=0fll8pJq7ZAUibPF4kinhno6RtSSoQWPS25LacVc9zIksnHvjqyKkUnVN9tOTAaZP4N+&9r98J=FbY8OBD HTTP/1.1Host: www.mywinnersworld.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=3J4IwxDxyQGM57lngVTovpY0RYYybvKdXCCorOYcpgj/2IXBVenraHtymYKqlnAzAiYz&9r98J=FbY8OBD HTTP/1.1Host: www.gracieleesgiftsandmore.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF+bm7wgJ2FfsCiVE70xyhWGRMHpTR01i4U7VcQ&9r98J=FbY8OBD HTTP/1.1Host: www.tonton-koubou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hx3a/?tZUT=etiEYBoPDxOhXHdNW+toGoO48BEbVYBhZG7o21xT+1ckFZjGUMv71muAk6m7YJWGV3TF&9r98J=FbY8OBD HTTP/1.1Host: www.phillhutt.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.rainbowsdepot.com
          Source: explorer.exe, 00000004.00000000.241718690.00000000089FD000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpString found in binary or memory: http://julianlawoffices.law/hx3a/?tZUT=Iu/IXyUbTVDu5P2JH19Ubbm/NNayCdBr7HPQNpzBLmA
          Source: explorer.exe, 00000007.00000002.474718381.0000000004FC2000.00000004.00000001.sdmpString found in binary or memory: http://tonton-koubou.com/hx3a/?tZUT=vULSFbXUfWqfH/UQKANXmh//LRVD9fF
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000007.00000002.472073266.0000000002DBC000.00000004.00000020.sdmpString found in binary or memory: http://www.formula-kuhni.com/eIm#
          Source: explorer.exe, 00000007.00000002.472169147.0000000002DCF000.00000004.00000020.sdmpString found in binary or memory: http://www.formula-kuhni.com/hx3a/?tZUT=caEAE6TOQuxSMBR5BS8nf
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.241792611.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_00404EA0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,lstrlenA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00404EA0

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.216654991.000000001EEF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256189783.0000000000A00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.210481681.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.255958752.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.256046021.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.468337581.0000000000840000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.468235656.0000000000810000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.AQJEKNHnWK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.AQJEKNHnWK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.AQJEKNHnWK.exe.1eef0000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004182EA NtClose,1_2_004182EA
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041839A NtAllocateVirtualMemory,1_2_0041839A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00AA98F0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00AA9860
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9840 NtDelayExecution,LdrInitializeThunk,1_2_00AA9840
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA99A0 NtCreateSection,LdrInitializeThunk,1_2_00AA99A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00AA9910
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A20 NtResumeThread,LdrInitializeThunk,1_2_00AA9A20
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00AA9A00
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A50 NtCreateFile,LdrInitializeThunk,1_2_00AA9A50
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA95D0 NtClose,LdrInitializeThunk,1_2_00AA95D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9540 NtReadFile,LdrInitializeThunk,1_2_00AA9540
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00AA96E0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00AA9660
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00AA97A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00AA9780
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk,1_2_00AA9FE0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00AA9710
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA98A0 NtWriteVirtualMemory,1_2_00AA98A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9820 NtEnumerateKey,1_2_00AA9820
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAB040 NtSuspendThread,1_2_00AAB040
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA99D0 NtCreateProcessEx,1_2_00AA99D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9950 NtQueueApcThread,1_2_00AA9950
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A80 NtOpenDirectoryObject,1_2_00AA9A80
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9A10 NtQuerySection,1_2_00AA9A10
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAA3B0 NtGetContextThread,1_2_00AAA3B0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9B00 NtSetValueKey,1_2_00AA9B00
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA95F0 NtQueryInformationFile,1_2_00AA95F0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9520 NtWaitForSingleObject,1_2_00AA9520
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAAD30 NtSetContextThread,1_2_00AAAD30
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9560 NtWriteFile,1_2_00AA9560
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA96D0 NtCreateKey,1_2_00AA96D0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9610 NtEnumerateValueKey,1_2_00AA9610
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9670 NtQueryInformationProcess,1_2_00AA9670
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9650 NtQueryValueKey,1_2_00AA9650
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9730 NtQueryVirtualMemory,1_2_00AA9730
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAA710 NtOpenProcessToken,1_2_00AAA710
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9760 NtOpenProcess,1_2_00AA9760
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AA9770 NtSetInformationFile,1_2_00AA9770
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00AAA770 NtOpenThread,1_2_00AAA770
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004181C0 NtCreateFile,1_1_004181C0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00418270 NtReadFile,1_1_00418270
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004182F0 NtClose,1_1_004182F0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004183A0 NtAllocateVirtualMemory,1_1_004183A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004182EA NtClose,1_1_004182EA
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041839A NtAllocateVirtualMemory,1_1_0041839A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049795D0 NtClose,LdrInitializeThunk,7_2_049795D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979540 NtReadFile,LdrInitializeThunk,7_2_04979540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049796D0 NtCreateKey,LdrInitializeThunk,7_2_049796D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049796E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_049796E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979650 NtQueryValueKey,LdrInitializeThunk,7_2_04979650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04979660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979780 NtMapViewOfSection,LdrInitializeThunk,7_2_04979780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979FE0 NtCreateMutant,LdrInitializeThunk,7_2_04979FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979710 NtQueryInformationToken,LdrInitializeThunk,7_2_04979710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979840 NtDelayExecution,LdrInitializeThunk,7_2_04979840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04979860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049799A0 NtCreateSection,LdrInitializeThunk,7_2_049799A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04979910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A50 NtCreateFile,LdrInitializeThunk,7_2_04979A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049795F0 NtQueryInformationFile,7_2_049795F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497AD30 NtSetContextThread,7_2_0497AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979520 NtWaitForSingleObject,7_2_04979520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979560 NtWriteFile,7_2_04979560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979610 NtEnumerateValueKey,7_2_04979610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979670 NtQueryInformationProcess,7_2_04979670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049797A0 NtUnmapViewOfSection,7_2_049797A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497A710 NtOpenProcessToken,7_2_0497A710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979730 NtQueryVirtualMemory,7_2_04979730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497A770 NtOpenThread,7_2_0497A770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979770 NtSetInformationFile,7_2_04979770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979760 NtOpenProcess,7_2_04979760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049798A0 NtWriteVirtualMemory,7_2_049798A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049798F0 NtReadVirtualMemory,7_2_049798F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979820 NtEnumerateKey,7_2_04979820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497B040 NtSuspendThread,7_2_0497B040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049799D0 NtCreateProcessEx,7_2_049799D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979950 NtQueueApcThread,7_2_04979950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A80 NtOpenDirectoryObject,7_2_04979A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A10 NtQuerySection,7_2_04979A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A00 NtProtectVirtualMemory,7_2_04979A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979A20 NtResumeThread,7_2_04979A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0497A3B0 NtGetContextThread,7_2_0497A3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04979B00 NtSetValueKey,7_2_04979B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F81C0 NtCreateFile,7_2_004F81C0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F8270 NtReadFile,7_2_004F8270
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F82F0 NtClose,7_2_004F82F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F83A0 NtAllocateVirtualMemory,7_2_004F83A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F82EA NtClose,7_2_004F82EA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004F839A NtAllocateVirtualMemory,7_2_004F839A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_0040314A EntryPoint,#17,OleInitialize,SHGetFileInfoA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,GetCommandLineA,GetModuleHandleA,CharNextA,OleUninitialize,ExitProcess,lstrcatA,CreateDirectoryA,lstrcatA,lstrcatA,DeleteFileA,GetModuleFileNameA,lstrcmpiA,CopyFileA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040314A
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 0_2_004046A70_2_004046A7
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0040102C1_2_0040102C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041B8811_2_0041B881
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041C10F1_2_0041C10F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041A2A61_2_0041A2A6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041BC411_2_0041BC41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00408C5C1_2_00408C5C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00408C601_2_00408C60
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_0041CEF61_2_0041CEF6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A920A01_2_00A920A0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B320A81_2_00B320A8
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7B0901_2_00A7B090
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B328EC1_2_00B328EC
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3E8241_2_00B3E824
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B210021_2_00B21002
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A841201_2_00A84120
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A6F9001_2_00A6F900
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B322AE1_2_00B322AE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A9EBB01_2_00A9EBB0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2DBD21_2_00B2DBD2
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B203DA1_2_00B203DA
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B32B281_2_00B32B28
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7841F1_2_00A7841F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2D4661_2_00B2D466
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A925811_2_00A92581
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A7D5E01_2_00A7D5E0
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B325DD1_2_00B325DD
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A60D201_2_00A60D20
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B32D071_2_00B32D07
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B31D551_2_00B31D55
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B32EF71_2_00B32EF7
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00A86E301_2_00A86E30
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B2D6161_2_00B2D616
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B31FF11_2_00B31FF1
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_2_00B3DFCE1_2_00B3DFCE
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0040102C1_1_0040102C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041B8811_1_0041B881
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041C10F1_1_0041C10F
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041A2A61_1_0041A2A6
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_0041BC411_1_0041BC41
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00408C5C1_1_00408C5C
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: 1_1_00408C601_1_00408C60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494841F7_2_0494841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FD4667_2_049FD466
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049625817_2_04962581
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494D5E07_2_0494D5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A025DD7_2_04A025DD
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A02D077_2_04A02D07
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04930D207_2_04930D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A01D557_2_04A01D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A02EF77_2_04A02EF7
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FD6167_2_049FD616
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04956E307_2_04956E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A01FF17_2_04A01FF1
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0494B0907_2_0494B090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A020A87_2_04A020A8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049620A07_2_049620A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A028EC7_2_04A028EC
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049F10027_2_049F1002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0493F9007_2_0493F900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049541207_2_04954120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A022AE7_2_04A022AE
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_0496EBB07_2_0496EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_049FDBD27_2_049FDBD2
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_04A02B287_2_04A02B28
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FA2A67_2_004FA2A6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E8C5C7_2_004E8C5C
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E8C607_2_004E8C60
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E2D907_2_004E2D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004FCEF67_2_004FCEF6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_004E2FB07_2_004E2FB0
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsxFC1A.tmp\bdww7k1w8bk0.dll 6C4628D2A5D9FE67953D21A7AB0FF49BAC94B69FB32B5A1FA94AE8CB71A4D693
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 0493B150 appears 35 times
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: String function: 00419F70 appears 34 times
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: String function: 0041A0A0 appears 50 times
          Source: C:\Users\user\Desktop\AQJEKNHnWK.exeCode function: String function: 00A6B150 appears 35 times
          Source: AQJEKNHnWK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: AQJEKNHnWK.exe, 00000000.00000003.207038845.000000001F036000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AQJEKNHnWK.exe
          Source: AQJEKNHnWK.exe, 00000001.00000002.256332303.0000000000B5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs AQJEKNHnWK.exe
          Source: AQJEKNHnWK.exe, 00000001.00000002.257477540.0000000002A0E000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameEXPLORER.EXEj% vs AQJEKNHnWK.exe
          Source: AQJEKNHnWK.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000007.00000002.467033203.00000000004E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brough