Loading ...

Play interactive tourEdit tour

Analysis Report PO_29_00412.exe

Overview

General Information

Sample Name:PO_29_00412.exe
Analysis ID:399774
MD5:e4ad95f61666b540024ff22a60816843
SHA1:c4a9865e453e8592047a849640b455f2e499f162
SHA256:bc4765682b3b1250e178d1154cfd56fbe1fb4ac0c8e8346d9e6f3ed6c661907d
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • PO_29_00412.exe (PID: 5760 cmdline: 'C:\Users\user\Desktop\PO_29_00412.exe' MD5: E4AD95F61666B540024FF22A60816843)
    • PO_29_00412.exe (PID: 5980 cmdline: 'C:\Users\user\Desktop\PO_29_00412.exe' MD5: E4AD95F61666B540024FF22A60816843)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • rundll32.exe (PID: 4928 cmdline: C:\Windows\SysWOW64\rundll32.exe MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • cmd.exe (PID: 5540 cmdline: /c del 'C:\Users\user\Desktop\PO_29_00412.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.werealestatephotography.com/hw6d/"], "decoy": ["medicare101now.com", "danahillathletics.com", "realjobexpert.com", "boulderhalle-hamburg.com", "idoweddinghair.com", "awdcompanies.com", "thevillaflora.com", "neutrasystems.com", "allwest-originals.com", "designtehengsg.com", "thenewyorker.computer", "ladybugtubs.com", "silina-beauty24.com", "mifangtu.com", "fashionbranddeveloper.com", "istanbulhookah.com", "askyoyo.com", "osaka-computer.net", "conegenie.com", "agteless.com", "carsoncredittx.com", "wellalytics.com", "onjulitrading.com", "thelocallawnmen.com", "loanascustomboutique.com", "ohcaftanmycaftan.com", "ardor-fitness.com", "benzinhayvancilik.com", "apthaiproperty.com", "maxim.technology", "dfch18.com", "davaoaffordablecondo.com", "sueshemp.com", "missmaltese.com", "lakecountrydems.com", "lastminuteminister.com", "sofiascelebrations.com", "socialaspecthouston.com", "rechnung.pro", "kathyscrabhouse.com", "themusasoficial.com", "reversemortgageloanmiami.com", "vrventurebsp.com", "whatalode.com", "xh03.net", "qiqihao.site", "specstrii.com", "organicfarmteam.com", "codebinnovations.net", "kizunaservice.com", "lboclkchain.com", "frorool.com", "dpok.network", "desafogados.com", "vestblue.net", "forguyshere.com", "recordprosperity.info", "theballoonbirds.com", "adityabirla-loan.com", "midgex.info", "qishuxia.com", "panopticop.com", "gd-kangda.com", "hotelbrainclub.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.PO_29_00412.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.PO_29_00412.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.PO_29_00412.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        1.1.PO_29_00412.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.PO_29_00412.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.agteless.com/hw6d/?wR9=5qwRj4Cks+XUvhq+/72yLl02AnqHimYvFWLTxgnccFxg28KqBmPa1ezdvIZqmAulhHSP&3f=ZlLd8r8PtXAvira URL Cloud: Label: malware
          Source: http://www.sueshemp.com/hw6d/?wR9=AAdYqRCZdpBCICVD7XT/TJuWXv5e4p9OLjsTJuFeeFMT5Erf7T6eOfQLuJbJMdHcFc0O&3f=ZlLd8r8PtXAvira URL Cloud: Label: malware
          Source: http://www.lboclkchain.com/hw6d/?wR9=YjpOOYUDmjvdyafLH2XIreLzwhI/7xCnoo7q/I/3CP849+jnPV3O3CrzxJL1042huvEP&3f=ZlLd8r8PtXAvira URL Cloud: Label: malware
          Source: http://www.missmaltese.com/hw6d/?wR9=6RCAxHzHs2U8cKrh6h9/ydGjrhxnSTzcOHDfHkTTDkA8hCV/5sMta/cQsHNALet3pcHc&3f=ZlLd8r8PtXAvira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.werealestatephotography.com/hw6d/"], "decoy": ["medicare101now.com", "danahillathletics.com", "realjobexpert.com", "boulderhalle-hamburg.com", "idoweddinghair.com", "awdcompanies.com", "thevillaflora.com", "neutrasystems.com", "allwest-originals.com", "designtehengsg.com", "thenewyorker.computer", "ladybugtubs.com", "silina-beauty24.com", "mifangtu.com", "fashionbranddeveloper.com", "istanbulhookah.com", "askyoyo.com", "osaka-computer.net", "conegenie.com", "agteless.com", "carsoncredittx.com", "wellalytics.com", "onjulitrading.com", "thelocallawnmen.com", "loanascustomboutique.com", "ohcaftanmycaftan.com", "ardor-fitness.com", "benzinhayvancilik.com", "apthaiproperty.com", "maxim.technology", "dfch18.com", "davaoaffordablecondo.com", "sueshemp.com", "missmaltese.com", "lakecountrydems.com", "lastminuteminister.com", "sofiascelebrations.com", "socialaspecthouston.com", "rechnung.pro", "kathyscrabhouse.com", "themusasoficial.com", "reversemortgageloanmiami.com", "vrventurebsp.com", "whatalode.com", "xh03.net", "qiqihao.site", "specstrii.com", "organicfarmteam.com", "codebinnovations.net", "kizunaservice.com", "lboclkchain.com", "frorool.com", "dpok.network", "desafogados.com", "vestblue.net", "forguyshere.com", "recordprosperity.info", "theballoonbirds.com", "adityabirla-loan.com", "midgex.info", "qishuxia.com", "panopticop.com", "gd-kangda.com", "hotelbrainclub.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\nsr1FDB.tmp\o9oo.dllReversingLabs: Detection: 14%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO_29_00412.exeReversingLabs: Detection: 36%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO_29_00412.exe.3120000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO_29_00412.exe.3120000.4.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: PO_29_00412.exeJoe Sandbox ML: detected
          Source: 1.2.PO_29_00412.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.PO_29_00412.exe.3120000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.PO_29_00412.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO_29_00412.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: PO_29_00412.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: PO_29_00412.exe, 00000000.00000003.215175981.0000000003150000.00000004.00000001.sdmp, PO_29_00412.exe, 00000001.00000002.261540179.0000000000A40000.00000040.00000001.sdmp, rundll32.exe, 00000007.00000002.483945483.00000000046FF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO_29_00412.exe, rundll32.exe
          Source: Binary string: rundll32.pdb source: PO_29_00412.exe, 00000001.00000002.261401303.0000000000609000.00000004.00000020.sdmp
          Source: Binary string: rundll32.pdbGCTL source: PO_29_00412.exe, 00000001.00000002.261401303.0000000000609000.00000004.00000020.sdmp
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004059F0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,0_2_0040659C
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1
          Source: C:\Users\user\Desktop\PO_29_00412.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\PO_29_00412.exeFile opened: C:\Users\user\AppData\Local\Temp\nsw1FAB.tmpJump to behavior
          Source: C:\Users\user\Desktop\PO_29_00412.exeFile opened: C:\Users\user\Desktop\PO_29_00412.exeJump to behavior
          Source: C:\Users\user\Desktop\PO_29_00412.exeFile opened: C:\Users\user\AppData\Local\Temp\d4kvs9nrjol318Jump to behavior
          Source: C:\Users\user\Desktop\PO_29_00412.exeFile opened: C:\Users\user\AppData\Local\Temp\9o96oivnhyxfeg7Jump to behavior
          Source: C:\Users\user\Desktop\PO_29_00412.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49731 -> 198.185.159.144:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49732 -> 198.71.232.3:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49732 -> 198.71.232.3:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49732 -> 198.71.232.3:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 216.239.38.21:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 216.239.38.21:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 216.239.38.21:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.werealestatephotography.com/hw6d/
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=5qwRj4Cks+XUvhq+/72yLl02AnqHimYvFWLTxgnccFxg28KqBmPa1ezdvIZqmAulhHSP&3f=ZlLd8r8PtX HTTP/1.1Host: www.agteless.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPaWrxhtzEdX&3f=ZlLd8r8PtX HTTP/1.1Host: www.werealestatephotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=6RCAxHzHs2U8cKrh6h9/ydGjrhxnSTzcOHDfHkTTDkA8hCV/5sMta/cQsHNALet3pcHc&3f=ZlLd8r8PtX HTTP/1.1Host: www.missmaltese.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=AAdYqRCZdpBCICVD7XT/TJuWXv5e4p9OLjsTJuFeeFMT5Erf7T6eOfQLuJbJMdHcFc0O&3f=ZlLd8r8PtX HTTP/1.1Host: www.sueshemp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=qHgMXp9xjKSDLOSO1Rlwgbov7xJRe3AlLaObeu+vQaN20mncnLVgIjt7WgvbzUpJv8vJ&3f=ZlLd8r8PtX HTTP/1.1Host: www.onjulitrading.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=Ddm3qJHqgzBdBhAnftzkfa9VwSzTwTX1J1BudaGH8hBPcPYq/VmKmGqlzVIhNMaY+qFM&3f=ZlLd8r8PtX HTTP/1.1Host: www.rechnung.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=NqDP1kNWGB45muwCVyMdlJqLatp7PevtuQ88HQHRMDyTbQkj9J6FuQuiyA3H8+Oo5z8S&3f=ZlLd8r8PtX HTTP/1.1Host: www.conegenie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=QbKX2W928fHcAtFGRb4REkUMiu4SoEjkfForEbaW1QS7nBKCPnGWTt7TK177yyq4Tjq5&3f=ZlLd8r8PtX HTTP/1.1Host: www.thelocallawnmen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=YjpOOYUDmjvdyafLH2XIreLzwhI/7xCnoo7q/I/3CP849+jnPV3O3CrzxJL1042huvEP&3f=ZlLd8r8PtX HTTP/1.1Host: www.lboclkchain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=dUGVTn/5aJJKliywqMmmpRKN90QgELEtjSlSK2PFHkAeyTnfmB2J+703q8XbnRj4tTIF&3f=ZlLd8r8PtX HTTP/1.1Host: www.sofiascelebrations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=M8b3PqXkcz6dEhacbWPz+tEbXPpZ+zWHtV+3ceu/G8IJbp6ZEJFkth5W4QT35NMVcxfa&3f=ZlLd8r8PtX HTTP/1.1Host: www.awdcompanies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 198.71.232.3 198.71.232.3
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: POWERLINE-AS-APPOWERLINEDATACENTERHK POWERLINE-AS-APPOWERLINEDATACENTERHK
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=5qwRj4Cks+XUvhq+/72yLl02AnqHimYvFWLTxgnccFxg28KqBmPa1ezdvIZqmAulhHSP&3f=ZlLd8r8PtX HTTP/1.1Host: www.agteless.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=um+iqA/SlswPLY/3czDk0wl6oY0PgWYbosSPlOYlzmcZrAL5djGLa7ExvPaWrxhtzEdX&3f=ZlLd8r8PtX HTTP/1.1Host: www.werealestatephotography.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=6RCAxHzHs2U8cKrh6h9/ydGjrhxnSTzcOHDfHkTTDkA8hCV/5sMta/cQsHNALet3pcHc&3f=ZlLd8r8PtX HTTP/1.1Host: www.missmaltese.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=AAdYqRCZdpBCICVD7XT/TJuWXv5e4p9OLjsTJuFeeFMT5Erf7T6eOfQLuJbJMdHcFc0O&3f=ZlLd8r8PtX HTTP/1.1Host: www.sueshemp.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=qHgMXp9xjKSDLOSO1Rlwgbov7xJRe3AlLaObeu+vQaN20mncnLVgIjt7WgvbzUpJv8vJ&3f=ZlLd8r8PtX HTTP/1.1Host: www.onjulitrading.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=Ddm3qJHqgzBdBhAnftzkfa9VwSzTwTX1J1BudaGH8hBPcPYq/VmKmGqlzVIhNMaY+qFM&3f=ZlLd8r8PtX HTTP/1.1Host: www.rechnung.proConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=NqDP1kNWGB45muwCVyMdlJqLatp7PevtuQ88HQHRMDyTbQkj9J6FuQuiyA3H8+Oo5z8S&3f=ZlLd8r8PtX HTTP/1.1Host: www.conegenie.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=QbKX2W928fHcAtFGRb4REkUMiu4SoEjkfForEbaW1QS7nBKCPnGWTt7TK177yyq4Tjq5&3f=ZlLd8r8PtX HTTP/1.1Host: www.thelocallawnmen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=YjpOOYUDmjvdyafLH2XIreLzwhI/7xCnoo7q/I/3CP849+jnPV3O3CrzxJL1042huvEP&3f=ZlLd8r8PtX HTTP/1.1Host: www.lboclkchain.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=dUGVTn/5aJJKliywqMmmpRKN90QgELEtjSlSK2PFHkAeyTnfmB2J+703q8XbnRj4tTIF&3f=ZlLd8r8PtX HTTP/1.1Host: www.sofiascelebrations.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /hw6d/?wR9=M8b3PqXkcz6dEhacbWPz+tEbXPpZ+zWHtV+3ceu/G8IJbp6ZEJFkth5W4QT35NMVcxfa&3f=ZlLd8r8PtX HTTP/1.1Host: www.awdcompanies.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.qiqihao.site
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=utf-8Cache-Control: no-cache, no-store, max-age=0, must-revalidatePragma: no-cacheExpires: Mon, 01 Jan 1990 00:00:00 GMTDate: Thu, 29 Apr 2021 05:56:58 GMTP3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."Report-To: {"group":"GeoMerchantPrestoSiteUi","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/GeoMerchantPrestoSiteUi/external"}]}Cross-Origin-Resource-Policy: cross-originCross-Origin-Opener-Policy-Report-Only: same-origin-allow-popups; report-to="GeoMerchantPrestoSiteUi"Content-Security-Policy: script-src 'report-sample' 'nonce-yKjbPO9cW/r8JFbtNMEfag' 'unsafe-inline';object-src 'none';base-uri 'self';report-uri /_/GeoMerchantPrestoSiteUi/cspreport;worker-src 'self'Server: ESFX-XSS-Protection: 0X-Content-Type-Options: nosniffSet-Cookie: NID=214=SOvaASTHxw7U1fTR9rJ3TgpN6uoP22uaitiapyy700A-c0PNUvBgcy4IsPZBXRqyCotXMbgYjEVXHhDNisdmEIgsA3gZ7yHtdHfRo1dXVU3TJ01bi7dFCCk-qslNYyy0wosmA_MyPKuECW_5TiXV6QvH7yBIhotQ-xEF5pPHxCo; expires=Fri, 29-Oct-2021 05:56:58 GMT; path=/; domain=.google.com; HttpOnlyAccept-Ranges: noneVary: Accept-EncodingTransfer-Encoding: chunkedConnection: closeData Raw: 36 35 33 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 Data Ascii: 653<html lang=en><meta charset=utf-8><meta name=viewport content="initial-scale=1, minimum-scale=1, widt
          Source: explorer.exe, 00000004.00000000.247851925.000000000F672000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PO_29_00412.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: PO_29_00412.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.241224976.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040548D

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO_29_00412.exe.3120000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.PO_29_00412.exe.3120000.4.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO_29_00412.exe.3120000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO_29_00412.exe.3120000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.PO_29_00412.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.PO_29_00412.exe.3120000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.PO_29_00412.exe.3120000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: PO_29_00412.exe
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_004181B0 NtCreateFile,1_2_004181B0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00418260 NtReadFile,1_2_00418260
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_004182E0 NtClose,1_2_004182E0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00418390 NtAllocateVirtualMemory,1_2_00418390
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_004181AA NtCreateFile,1_2_004181AA
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_004182DA NtClose,1_2_004182DA
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00AA98F0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00AA9860
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9840 NtDelayExecution,LdrInitializeThunk,1_2_00AA9840
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA99A0 NtCreateSection,LdrInitializeThunk,1_2_00AA99A0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00AA9910
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9A20 NtResumeThread,LdrInitializeThunk,1_2_00AA9A20
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00AA9A00
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9A50 NtCreateFile,LdrInitializeThunk,1_2_00AA9A50
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA95D0 NtClose,LdrInitializeThunk,1_2_00AA95D0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9540 NtReadFile,LdrInitializeThunk,1_2_00AA9540
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00AA96E0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00AA9660
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00AA97A0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9780 NtMapViewOfSection,LdrInitializeThunk,1_2_00AA9780
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9FE0 NtCreateMutant,LdrInitializeThunk,1_2_00AA9FE0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9710 NtQueryInformationToken,LdrInitializeThunk,1_2_00AA9710
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA98A0 NtWriteVirtualMemory,1_2_00AA98A0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9820 NtEnumerateKey,1_2_00AA9820
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AAB040 NtSuspendThread,1_2_00AAB040
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA99D0 NtCreateProcessEx,1_2_00AA99D0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9950 NtQueueApcThread,1_2_00AA9950
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9A80 NtOpenDirectoryObject,1_2_00AA9A80
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9A10 NtQuerySection,1_2_00AA9A10
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AAA3B0 NtGetContextThread,1_2_00AAA3B0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9B00 NtSetValueKey,1_2_00AA9B00
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA95F0 NtQueryInformationFile,1_2_00AA95F0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9520 NtWaitForSingleObject,1_2_00AA9520
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AAAD30 NtSetContextThread,1_2_00AAAD30
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9560 NtWriteFile,1_2_00AA9560
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA96D0 NtCreateKey,1_2_00AA96D0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9610 NtEnumerateValueKey,1_2_00AA9610
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9670 NtQueryInformationProcess,1_2_00AA9670
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9650 NtQueryValueKey,1_2_00AA9650
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9730 NtQueryVirtualMemory,1_2_00AA9730
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AAA710 NtOpenProcessToken,1_2_00AAA710
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9760 NtOpenProcess,1_2_00AA9760
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AA9770 NtSetInformationFile,1_2_00AA9770
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00AAA770 NtOpenThread,1_2_00AAA770
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_1_004181B0 NtCreateFile,1_1_004181B0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_1_00418260 NtReadFile,1_1_00418260
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_1_004182E0 NtClose,1_1_004182E0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_1_00418390 NtAllocateVirtualMemory,1_1_00418390
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_1_004181AA NtCreateFile,1_1_004181AA
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_1_004182DA NtClose,1_1_004182DA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649540 NtReadFile,LdrInitializeThunk,7_2_04649540
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046495D0 NtClose,LdrInitializeThunk,7_2_046495D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04649660
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649650 NtQueryValueKey,LdrInitializeThunk,7_2_04649650
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046496E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_046496E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046496D0 NtCreateKey,LdrInitializeThunk,7_2_046496D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649710 NtQueryInformationToken,LdrInitializeThunk,7_2_04649710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649FE0 NtCreateMutant,LdrInitializeThunk,7_2_04649FE0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649780 NtMapViewOfSection,LdrInitializeThunk,7_2_04649780
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04649860
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649840 NtDelayExecution,LdrInitializeThunk,7_2_04649840
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04649910
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046499A0 NtCreateSection,LdrInitializeThunk,7_2_046499A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649A50 NtCreateFile,LdrInitializeThunk,7_2_04649A50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649560 NtWriteFile,7_2_04649560
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649520 NtWaitForSingleObject,7_2_04649520
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0464AD30 NtSetContextThread,7_2_0464AD30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046495F0 NtQueryInformationFile,7_2_046495F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649670 NtQueryInformationProcess,7_2_04649670
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649610 NtEnumerateValueKey,7_2_04649610
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649760 NtOpenProcess,7_2_04649760
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0464A770 NtOpenThread,7_2_0464A770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649770 NtSetInformationFile,7_2_04649770
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649730 NtQueryVirtualMemory,7_2_04649730
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0464A710 NtOpenProcessToken,7_2_0464A710
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046497A0 NtUnmapViewOfSection,7_2_046497A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0464B040 NtSuspendThread,7_2_0464B040
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649820 NtEnumerateKey,7_2_04649820
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046498F0 NtReadVirtualMemory,7_2_046498F0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046498A0 NtWriteVirtualMemory,7_2_046498A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649950 NtQueueApcThread,7_2_04649950
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046499D0 NtCreateProcessEx,7_2_046499D0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649A20 NtResumeThread,7_2_04649A20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649A00 NtProtectVirtualMemory,7_2_04649A00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649A10 NtQuerySection,7_2_04649A10
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649A80 NtOpenDirectoryObject,7_2_04649A80
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04649B00 NtSetValueKey,7_2_04649B00
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0464A3B0 NtGetContextThread,7_2_0464A3B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006281B0 NtCreateFile,7_2_006281B0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00628260 NtReadFile,7_2_00628260
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006282E0 NtClose,7_2_006282E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00628390 NtAllocateVirtualMemory,7_2_00628390
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006281AA NtCreateFile,7_2_006281AA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_006282DA NtClose,7_2_006282DA
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403461
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 0_2_004069250_2_00406925
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00408C4B1_2_00408C4B
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00408C501_2_00408C50
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_0041BC561_2_0041BC56
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_0041B4961_2_0041B496
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_0041CD311_2_0041CD31
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A920A01_2_00A920A0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B320A81_2_00B320A8
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A7B0901_2_00A7B090
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B328EC1_2_00B328EC
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B3E8241_2_00B3E824
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B210021_2_00B21002
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A841201_2_00A84120
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A6F9001_2_00A6F900
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B322AE1_2_00B322AE
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A9EBB01_2_00A9EBB0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B2DBD21_2_00B2DBD2
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B203DA1_2_00B203DA
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B32B281_2_00B32B28
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A7841F1_2_00A7841F
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B2D4661_2_00B2D466
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A925811_2_00A92581
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A7D5E01_2_00A7D5E0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B325DD1_2_00B325DD
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A60D201_2_00A60D20
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B32D071_2_00B32D07
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B31D551_2_00B31D55
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B32EF71_2_00B32EF7
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00A86E301_2_00A86E30
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B2D6161_2_00B2D616
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B31FF11_2_00B31FF1
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_2_00B3DFCE1_2_00B3DFCE
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046CD4667_2_046CD466
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0461841F7_2_0461841F
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046D1D557_2_046D1D55
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04600D207_2_04600D20
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046D2D077_2_046D2D07
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0461D5E07_2_0461D5E0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046D25DD7_2_046D25DD
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046325817_2_04632581
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_04626E307_2_04626E30
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046CD6167_2_046CD616
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046D2EF77_2_046D2EF7
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046D1FF17_2_046D1FF1
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046DDFCE7_2_046DDFCE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046DE8247_2_046DE824
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046C10027_2_046C1002
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046D28EC7_2_046D28EC
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046320A07_2_046320A0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046D20A87_2_046D20A8
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0461B0907_2_0461B090
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046241207_2_04624120
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0460F9007_2_0460F900
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046BFA2B7_2_046BFA2B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046D22AE7_2_046D22AE
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0462AB407_2_0462AB40
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046D2B287_2_046D2B28
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046C03DA7_2_046C03DA
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_046CDBD27_2_046CDBD2
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0463EBB07_2_0463EBB0
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00618C4B7_2_00618C4B
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00618C507_2_00618C50
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0062B4967_2_0062B496
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0062CD317_2_0062CD31
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00612D877_2_00612D87
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00612D907_2_00612D90
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00612FB07_2_00612FB0
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: String function: 0041A090 appears 38 times
          Source: C:\Users\user\Desktop\PO_29_00412.exeCode function: String function: 00A6B150 appears 39 times
          Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 0460B150 appears 45 times
          Source: PO_29_00412.exe, 00000000.00000003.219519129.0000000003296000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO_29_00412.exe
          Source: PO_29_00412.exe, 00000001.00000002.261401303.0000000000609000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameRUNDLL32.EXEj% vs PO_29_00412.exe
          Source: PO_29_00412.exe, 00000001.00000002.261873134.0000000000CEF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO_29_00412.exe
          Source: PO_29_00412.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.479453831.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.480594324.0000000000830000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.225535038.0000000003120000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.261451958.0000000000900000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.261351613.00000000005B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.221080798.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.480879219.0000000000960000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.261176274.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.PO_29_00412.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, ma<