Loading ...

Play interactive tourEdit tour

Analysis Report gzU8odwaPalRTGB.exe

Overview

General Information

Sample Name:gzU8odwaPalRTGB.exe
Analysis ID:383962
MD5:bc0859493d8419f5ffe0468d23938256
SHA1:70c3b42db2fc29bb0de21db911b85adf600fb9f2
SHA256:64f1791681e261b0e652130f8f7fca8e1098a4c03fee49652a14d682681f85cf
Tags:Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • gzU8odwaPalRTGB.exe (PID: 3092 cmdline: 'C:\Users\user\Desktop\gzU8odwaPalRTGB.exe' MD5: BC0859493D8419F5FFE0468D23938256)
    • schtasks.exe (PID: 2596 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • RegSvcs.exe (PID: 6228 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3472 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 6904 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 7068 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.smarttel.management/msc/"], "decoy": ["vanwertfamilyhealth.com", "amiawke.com", "hq-leaks.net", "playersgolfworld.info", "atlantaoffshore.com", "redstateaf.com", "leosquad.world", "elchtec.com", "mjshenanigans.com", "rbsccj.com", "360healthy.life", "sympa.digital", "afrotresor.com", "amazingliberty.com", "realsults.com", "preethamgudichuttu.com", "anastasiavegilates.com", "blockchainfest.asia", "viaverdeproject.net", "shouryashukla.com", "african-elephant.com", "factorysale.online", "vqxxmrxhpsho.mobi", "munchstaging.com", "codealemayohabrha.com", "melrosecakecompany.com", "themaskamigo.com", "aviatop.online", "coivdanswers.com", "geralouittane.com", "amazonshack.com", "aeguana.info", "samaalkaleej.com", "disruptorgen.com", "crystalcpv.com", "lsertsex.com", "affiliatesupersummit.com", "tintuc-247.info", "balakawu.com", "smartecomall.com", "chorahouses.com", "bellezaorganica.club", "greenbayhemorrhoidcenter.com", "iklanlaskar.com", "oldtownbusinessdistrict.com", "hindmetalhouse.com", "diligentpom.com", "genetic-web.com", "novergi.com", "sincetimebegan.com", "foodyfie.com", "wfiboostrs.com", "startuphrs.com", "vkjuzcsh.icu", "primarewards.net", "snappygarden.com", "rangerpoint.net", "meramission.com", "adsatadvanstar.com", "railrockers.com", "smartlightinggreenidea.com", "streetsmartlove.net", "shnfxj.com", "sms-master.online"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        5.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\gzU8odwaPalRTGB.exe' , ParentImage: C:\Users\user\Desktop\gzU8odwaPalRTGB.exe, ParentProcessId: 3092, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\fgEePtnFJH' /XML 'C:\Users\user\AppData\Local\Temp\tmpDFE8.tmp', ProcessId: 2596

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: gzU8odwaPalRTGB.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\fgEePtnFJH.exeAvira: detection malicious, Label: HEUR/AGEN.1138557
          Found malware configurationShow sources
          Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.smarttel.management/msc/"], "decoy": ["vanwertfamilyhealth.com", "amiawke.com", "hq-leaks.net", "playersgolfworld.info", "atlantaoffshore.com", "redstateaf.com", "leosquad.world", "elchtec.com", "mjshenanigans.com", "rbsccj.com", "360healthy.life", "sympa.digital", "afrotresor.com", "amazingliberty.com", "realsults.com", "preethamgudichuttu.com", "anastasiavegilates.com", "blockchainfest.asia", "viaverdeproject.net", "shouryashukla.com", "african-elephant.com", "factorysale.online", "vqxxmrxhpsho.mobi", "munchstaging.com", "codealemayohabrha.com", "melrosecakecompany.com", "themaskamigo.com", "aviatop.online", "coivdanswers.com", "geralouittane.com", "amazonshack.com", "aeguana.info", "samaalkaleej.com", "disruptorgen.com", "crystalcpv.com", "lsertsex.com", "affiliatesupersummit.com", "tintuc-247.info", "balakawu.com", "smartecomall.com", "chorahouses.com", "bellezaorganica.club", "greenbayhemorrhoidcenter.com", "iklanlaskar.com", "oldtownbusinessdistrict.com", "hindmetalhouse.com", "diligentpom.com", "genetic-web.com", "novergi.com", "sincetimebegan.com", "foodyfie.com", "wfiboostrs.com", "startuphrs.com", "vkjuzcsh.icu", "primarewards.net", "snappygarden.com", "rangerpoint.net", "meramission.com", "adsatadvanstar.com", "railrockers.com", "smartlightinggreenidea.com", "streetsmartlove.net", "shnfxj.com", "sms-master.online"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\fgEePtnFJH.exeReversingLabs: Detection: 29%
          Multi AV Scanner detection for submitted fileShow sources
          Source: gzU8odwaPalRTGB.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\fgEePtnFJH.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: gzU8odwaPalRTGB.exeJoe Sandbox ML: detected
          Source: 5.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: gzU8odwaPalRTGB.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: gzU8odwaPalRTGB.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.291054222.000000000EC20000.00000002.00000001.sdmp
          Source: Binary string: RegSvcs.pdb, source: rundll32.exe, 0000000F.00000002.506707645.000000000549F000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000005.00000002.306866453.000000000100F000.00000040.00000001.sdmp, rundll32.exe, 0000000F.00000002.505143843.000000000508F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: RegSvcs.exe, 00000005.00000002.306707675.0000000000DE0000.00000040.00000001.sdmp
          Source: Binary string: rundll32.pdbGCTL source: RegSvcs.exe, 00000005.00000002.306707675.0000000000DE0000.00000040.00000001.sdmp
          Source: Binary string: RegSvcs.pdb source: rundll32.exe, 0000000F.00000002.506707645.000000000549F000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.291054222.000000000EC20000.00000002.00000001.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi5_2_00416CA2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi5_2_00417D70
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi15_2_00F76CA2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4x nop then pop edi15_2_00F77D70

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.smarttel.management/msc/
          Source: global trafficHTTP traffic detected: GET /msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.novergi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.realsults.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
          Source: Joe Sandbox ViewASN Name: HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK HKMTC-AS-APHONGKONGMegalayerTechnologyCoLimitedHK
          Source: global trafficHTTP traffic detected: GET /msc/?szr8=ZuDCMQ3I4T3VSTegk+AGxuqfe6TeNyWCjdwuw+un6PC0oplRc+HjqgF4wozRSCgma/XR&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.novergi.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /msc/?szr8=SLnxv5WEj6Yhjlrb8B4FzKU74ag+VtkikWCAHb2VKlwGrAtgyss6rL13pJnEzWIQGWFv&4hnPsj=W2J4SLjHGHypclVp HTTP/1.1Host: www.realsults.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.novergi.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 08 Apr 2021 11:13:25 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6d 73 63 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /msc/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.237699855.000000000194D000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261130122.00000000030E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: gzU8odwaPalRTGB.exeString found in binary or memory: http://tempuri.org/GridOneHSDataSet.xsd
          Source: gzU8odwaPalRTGB.exeString found in binary or memory: http://tempuri.org/HighScoresDataSet.xsd
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266271453.0000000006290000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcetab
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266271453.0000000006290000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.238346544.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238372995.00000000062AB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comc6l=
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238372995.00000000062AB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comicwl
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238340434.00000000062AB000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnMlB
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.240223538.00000000062CD000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240412200.0000000006294000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/y
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240223538.00000000062CD000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn;
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240236409.0000000006294000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnN
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.240236409.0000000006294000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnc
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/F
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.241670026.0000000006294000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, gzU8odwaPalRTGB.exe, 00000000.00000003.238136203.00000000062AE000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238136203.00000000062AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.coma-d
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.239669252.0000000006296000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krv
          Source: explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238853595.00000000062AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com6l=
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238739060.00000000062AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comhlg
          Source: gzU8odwaPalRTGB.exe, 00000000.00000003.238853595.00000000062AB000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.266347099.0000000006380000.00000002.00000001.sdmp, explorer.exe, 00000006.00000000.289815525.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.261174361.0000000003136000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D56E58 NtQueryInformationProcess,0_2_07D56E58
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D56E51 NtQueryInformationProcess,0_2_07D56E51
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419D60 NtCreateFile,5_2_00419D60
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419E10 NtReadFile,5_2_00419E10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419E90 NtClose,5_2_00419E90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419F40 NtAllocateVirtualMemory,5_2_00419F40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419D5A NtCreateFile,5_2_00419D5A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419E0A NtReadFile,5_2_00419E0A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00419F3A NtAllocateVirtualMemory,5_2_00419F3A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F598F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_00F598F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59860 NtQuerySystemInformation,LdrInitializeThunk,5_2_00F59860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59840 NtDelayExecution,LdrInitializeThunk,5_2_00F59840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F599A0 NtCreateSection,LdrInitializeThunk,5_2_00F599A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_00F59910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59A50 NtCreateFile,LdrInitializeThunk,5_2_00F59A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59A20 NtResumeThread,LdrInitializeThunk,5_2_00F59A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_00F59A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F595D0 NtClose,LdrInitializeThunk,5_2_00F595D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59540 NtReadFile,LdrInitializeThunk,5_2_00F59540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F596E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_00F596E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_00F59660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F597A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_00F597A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59780 NtMapViewOfSection,LdrInitializeThunk,5_2_00F59780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59710 NtQueryInformationToken,LdrInitializeThunk,5_2_00F59710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F598A0 NtWriteVirtualMemory,5_2_00F598A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F5B040 NtSuspendThread,5_2_00F5B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59820 NtEnumerateKey,5_2_00F59820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F599D0 NtCreateProcessEx,5_2_00F599D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59950 NtQueueApcThread,5_2_00F59950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59A80 NtOpenDirectoryObject,5_2_00F59A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59A10 NtQuerySection,5_2_00F59A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F5A3B0 NtGetContextThread,5_2_00F5A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59B00 NtSetValueKey,5_2_00F59B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F595F0 NtQueryInformationFile,5_2_00F595F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59560 NtWriteFile,5_2_00F59560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F5AD30 NtSetContextThread,5_2_00F5AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59520 NtWaitForSingleObject,5_2_00F59520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F596D0 NtCreateKey,5_2_00F596D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59670 NtQueryInformationProcess,5_2_00F59670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59650 NtQueryValueKey,5_2_00F59650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59610 NtEnumerateValueKey,5_2_00F59610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59FE0 NtCreateMutant,5_2_00F59FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59770 NtSetInformationFile,5_2_00F59770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F5A770 NtOpenThread,5_2_00F5A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59760 NtOpenProcess,5_2_00F59760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F59730 NtQueryVirtualMemory,5_2_00F59730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F5A710 NtOpenProcessToken,5_2_00F5A710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9860 NtQuerySystemInformation,LdrInitializeThunk,15_2_04FD9860
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9840 NtDelayExecution,LdrInitializeThunk,15_2_04FD9840
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD95D0 NtClose,LdrInitializeThunk,15_2_04FD95D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD99A0 NtCreateSection,LdrInitializeThunk,15_2_04FD99A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9540 NtReadFile,LdrInitializeThunk,15_2_04FD9540
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_04FD9910
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD96E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_04FD96E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD96D0 NtCreateKey,LdrInitializeThunk,15_2_04FD96D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_04FD9660
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9A50 NtCreateFile,LdrInitializeThunk,15_2_04FD9A50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9650 NtQueryValueKey,LdrInitializeThunk,15_2_04FD9650
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9FE0 NtCreateMutant,LdrInitializeThunk,15_2_04FD9FE0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9780 NtMapViewOfSection,LdrInitializeThunk,15_2_04FD9780
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9710 NtQueryInformationToken,LdrInitializeThunk,15_2_04FD9710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD98F0 NtReadVirtualMemory,15_2_04FD98F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD98A0 NtWriteVirtualMemory,15_2_04FD98A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FDB040 NtSuspendThread,15_2_04FDB040
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9820 NtEnumerateKey,15_2_04FD9820
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD95F0 NtQueryInformationFile,15_2_04FD95F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD99D0 NtCreateProcessEx,15_2_04FD99D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9560 NtWriteFile,15_2_04FD9560
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9950 NtQueueApcThread,15_2_04FD9950
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FDAD30 NtSetContextThread,15_2_04FDAD30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9520 NtWaitForSingleObject,15_2_04FD9520
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9A80 NtOpenDirectoryObject,15_2_04FD9A80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9670 NtQueryInformationProcess,15_2_04FD9670
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9A20 NtResumeThread,15_2_04FD9A20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9610 NtEnumerateValueKey,15_2_04FD9610
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9A10 NtQuerySection,15_2_04FD9A10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9A00 NtProtectVirtualMemory,15_2_04FD9A00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FDA3B0 NtGetContextThread,15_2_04FDA3B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD97A0 NtUnmapViewOfSection,15_2_04FD97A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9770 NtSetInformationFile,15_2_04FD9770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FDA770 NtOpenThread,15_2_04FDA770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9760 NtOpenProcess,15_2_04FD9760
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9730 NtQueryVirtualMemory,15_2_04FD9730
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FDA710 NtOpenProcessToken,15_2_04FDA710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FD9B00 NtSetValueKey,15_2_04FD9B00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F79D60 NtCreateFile,15_2_00F79D60
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F79E90 NtClose,15_2_00F79E90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F79E10 NtReadFile,15_2_00F79E10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F79F40 NtAllocateVirtualMemory,15_2_00F79F40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F79D5A NtCreateFile,15_2_00F79D5A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F79E0A NtReadFile,15_2_00F79E0A
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F79F3A NtAllocateVirtualMemory,15_2_00F79F3A
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_00D5DCE70_2_00D5DCE7
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_00D5A9EA0_2_00D5A9EA
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_0167C2B00_2_0167C2B0
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_016799900_2_01679990
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D5C4B80_2_07D5C4B8
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D554300_2_07D55430
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D5D2C80_2_07D5D2C8
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D5C1800_2_07D5C180
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D51FE80_2_07D51FE8
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D5CC080_2_07D5CC08
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D5F9980_2_07D5F998
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D507800_2_07D50780
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D507700_2_07D50770
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D564780_2_07D56478
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D564680_2_07D56468
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D554200_2_07D55420
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D591580_2_07D59158
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D591480_2_07D59148
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D51FD80_2_07D51FD8
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D56FF00_2_07D56FF0
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D56FE00_2_07D56FE0
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D51E080_2_07D51E08
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D51DF80_2_07D51DF8
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D55D210_2_07D55D21
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D58C880_2_07D58C88
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D58C780_2_07D58C78
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D51B900_2_07D51B90
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D51B800_2_07D51B80
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D52B680_2_07D52B68
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D52AE90_2_07D52AE9
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D519880_2_07D51988
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_07D519780_2_07D51978
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FDE8FB0_2_08FDE8FB
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FDF8E80_2_08FDF8E8
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FD88A00_2_08FD88A0
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FDAC500_2_08FDAC50
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FDCC430_2_08FDCC43
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FDAEA00_2_08FDAEA0
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FDDF500_2_08FDDF50
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FD51700_2_08FD5170
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FD32E00_2_08FD32E0
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FDE2A30_2_08FDE2A3
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FD15400_2_08FD1540
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FDD7C00_2_08FDD7C0
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_08FDF8D80_2_08FDF8D8
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeCode function: 0_2_00D5AAC70_2_00D5AAC7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041E9AA5_2_0041E9AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041E25B5_2_0041E25B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402D895_2_00402D89
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409E405_2_00409E40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00409E3F5_2_00409E3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041DFF25_2_0041DFF2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_0041CFA35_2_0041CFA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F420A05_2_00F420A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FE20A85_2_00FE20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F2B0905_2_00F2B090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FD10025_2_00FD1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F341205_2_00F34120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F1F9005_2_00F1F900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FE22AE5_2_00FE22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FDDBD25_2_00FDDBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F4EBB05_2_00F4EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FE2B285_2_00FE2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F2841F5_2_00F2841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F2D5E05_2_00F2D5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FE25DD5_2_00FE25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F425815_2_00F42581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FE1D555_2_00FE1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F10D205_2_00F10D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FE2D075_2_00FE2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FE2EF75_2_00FE2EF7
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00F36E305_2_00F36E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 5_2_00FE1FF15_2_00FE1FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_05061D5515_2_05061D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FC20A015_2_04FC20A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FAB09015_2_04FAB090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FA841F15_2_04FA841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0505100215_2_05051002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FAD5E015_2_04FAD5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FC258115_2_04FC2581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04F90D2015_2_04F90D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FB412015_2_04FB4120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04F9F90015_2_04F9F900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FB6E3015_2_04FB6E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_04FCEBB015_2_04FCEBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F7E9AA15_2_00F7E9AA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F7E25B15_2_00F7E25B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F62D9015_2_00F62D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F62D8915_2_00F62D89
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F69E4015_2_00F69E40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F69E3F15_2_00F69E3F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F7DFF215_2_00F7DFF2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F62FB015_2_00F62FB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00F7CFA315_2_00F7CFA3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 00F1B150 appears 35 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 04F9B150 appears 35 times
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272310690.0000000007B80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll" vs gzU8odwaPalRTGB.exe
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.260380327.0000000000DF4000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameExceptionFromErrorCode.exe4 vs gzU8odwaPalRTGB.exe
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272159297.0000000007880000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs gzU8odwaPalRTGB.exe
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272662463.000000000EF50000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs gzU8odwaPalRTGB.exe
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272291076.00000000079F0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll2 vs gzU8odwaPalRTGB.exe
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272908381.000000000F050000.00000002.00000001.sdmpBinary or memory string: originalfilename vs gzU8odwaPalRTGB.exe
          Source: gzU8odwaPalRTGB.exe, 00000000.00000002.272908381.000000000F050000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs gzU8odwaPalRTGB.exe
          Source: gzU8odwaPalRTGB.exeBinary or memory string: OriginalFilenameExceptionFromErrorCode.exe4 vs gzU8odwaPalRTGB.exe
          Source: gzU8odwaPalRTGB.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.305959053.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.306550106.0000000000A70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.306525774.0000000000A40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.501334938.0000000000F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.504075659.0000000004D70000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.503984351.0000000004D40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.261576689.00000000041A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: gzU8odwaPalRTGB.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: fgEePtnFJH.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@3/2
          Source: C:\Users\user\Desktop\gzU8odwaPalRTGB.exeFile created: C:\Users\user\AppData\Roaming\fgEePtnFJH.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:248:120:WilError_01
          <