Loading ...

Play interactive tourEdit tour

Analysis Report 74ed218c_by_Libranalysis

Overview

General Information

Sample Name:74ed218c_by_Libranalysis (renamed file extension from none to exe)
Analysis ID:402842
MD5:74ed218c2c421e3978445a1edbe40a08
SHA1:16d950eae07654c9805d4476928c4c8d7d12fcc1
SHA256:b32ad3bf2b79e411ca0450c1d5430d12c9bb73c269e0838ee512bc816fcce3b7
Tags:Formbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 74ed218c_by_Libranalysis.exe (PID: 6800 cmdline: 'C:\Users\user\Desktop\74ed218c_by_Libranalysis.exe' MD5: 74ED218C2C421E3978445A1EDBE40A08)
    • 74ed218c_by_Libranalysis.exe (PID: 6940 cmdline: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exe MD5: 74ED218C2C421E3978445A1EDBE40A08)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 4704 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 5936 cmdline: /c del 'C:\Users\user\Desktop\74ed218c_by_Libranalysis.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.378047898.0000000001680000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.378047898.0000000001680000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 15 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.74ed218c_by_Libranalysis.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.74ed218c_by_Libranalysis.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.74ed218c_by_Libranalysis.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        3.2.74ed218c_by_Libranalysis.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.74ed218c_by_Libranalysis.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 4 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 74ed218c_by_Libranalysis.exeReversingLabs: Detection: 13%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.378047898.0000000001680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.378002260.0000000001650000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.594461458.0000000002880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.593997073.0000000002780000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.341386451.00000000041C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.74ed218c_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.74ed218c_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.74ed218c_by_Libranalysis.exe.4261998.3.raw.unpack, type: UNPACKEDPE
          Source: 3.2.74ed218c_by_Libranalysis.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 74ed218c_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 74ed218c_by_Libranalysis.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.358213656.0000000007BA0000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 74ed218c_by_Libranalysis.exe, 00000003.00000002.378356516.00000000018BF000.00000040.00000001.sdmp, cmd.exe, 00000007.00000003.378745605.0000000002CD0000.00000004.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: 74ed218c_by_Libranalysis.exe, 00000003.00000003.376909835.0000000001361000.00000004.00000001.sdmp, cmd.exe, 00000007.00000002.593308926.00000000002A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 74ed218c_by_Libranalysis.exe, cmd.exe
          Source: Binary string: cmd.pdb source: 74ed218c_by_Libranalysis.exe, 00000003.00000003.376909835.0000000001361000.00000004.00000001.sdmp, cmd.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.358213656.0000000007BA0000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002B245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,7_2_002B245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002B68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,7_2_002B68BA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002AB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,7_2_002AB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,7_2_002A85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002C31DC FindFirstFileW,FindNextFileW,FindClose,7_2_002C31DC
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0BA881B0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0BA89288
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0BA882DC
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0BA89279
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0BA881A1
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 4x nop then pop edi3_2_0040C368
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 4x nop then pop esi3_2_004157FE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi7_2_0278C368
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop esi7_2_027957FE

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49754 -> 166.62.10.48:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49754 -> 166.62.10.48:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49754 -> 166.62.10.48:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cats16.com/8u3b/
          Source: global trafficHTTP traffic detected: GET /8u3b/?EzrxUr=ApmP+YWYCK6vLVfjcl0EWRKNz1AqTOP9eBXy99nVLHRI2g8p2qSHut9K1XPRX5z6HIA+7i/UvA==&0VMt8D=3fJTbJlpxpVT_2d0 HTTP/1.1Host: www.spwakd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?EzrxUr=PWNBDH2hPCb1us8Ao8B+54WayNfcYj50QVchuC7xNQJC497qOyaPHph0Z/JAkFEaPJmxv/9Dmg==&0VMt8D=3fJTbJlpxpVT_2d0 HTTP/1.1Host: www.arfjkacsgatfzbazpdth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?EzrxUr=TE3r3Po/80I3A7BjdmOrtV2X1cXMdBXcsPlehNMo8xFrjXCGEx4PM+IgH3zoRtc5Tgzkp+uvDw==&0VMt8D=3fJTbJlpxpVT_2d0 HTTP/1.1Host: www.babyshopit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?0VMt8D=3fJTbJlpxpVT_2d0&EzrxUr=QhGT3fvyIg/Tdu+peJX/18F82XojpghVKKtPaYcZWPnpiCRWL9VDuvxnUE1ISN8qX8wj4FmhpA== HTTP/1.1Host: www.pyqxlz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.227.38.74 23.227.38.74
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: HETZNER-ASDE HETZNER-ASDE
          Source: Joe Sandbox ViewASN Name: AS-TIERP-36024US AS-TIERP-36024US
          Source: global trafficHTTP traffic detected: GET /8u3b/?EzrxUr=ApmP+YWYCK6vLVfjcl0EWRKNz1AqTOP9eBXy99nVLHRI2g8p2qSHut9K1XPRX5z6HIA+7i/UvA==&0VMt8D=3fJTbJlpxpVT_2d0 HTTP/1.1Host: www.spwakd.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?EzrxUr=PWNBDH2hPCb1us8Ao8B+54WayNfcYj50QVchuC7xNQJC497qOyaPHph0Z/JAkFEaPJmxv/9Dmg==&0VMt8D=3fJTbJlpxpVT_2d0 HTTP/1.1Host: www.arfjkacsgatfzbazpdth.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?EzrxUr=TE3r3Po/80I3A7BjdmOrtV2X1cXMdBXcsPlehNMo8xFrjXCGEx4PM+IgH3zoRtc5Tgzkp+uvDw==&0VMt8D=3fJTbJlpxpVT_2d0 HTTP/1.1Host: www.babyshopit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?0VMt8D=3fJTbJlpxpVT_2d0&EzrxUr=QhGT3fvyIg/Tdu+peJX/18F82XojpghVKKtPaYcZWPnpiCRWL9VDuvxnUE1ISN8qX8wj4FmhpA== HTTP/1.1Host: www.pyqxlz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.amazoncovid19tracer.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.10.3Date: Mon, 03 May 2021 12:43:30 GMTContent-Type: text/htmlContent-Length: 169Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 30 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body bgcolor="white"><center><h1>404 Not Found</h1></center><hr><center>nginx/1.10.3</center></body></html>
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 74ed218c_by_Libranalysis.exe, 00000001.00000002.340649422.00000000031C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.341165696.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.364055555.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 74ed218c_by_Libranalysis.exeString found in binary or memory: https://github.com/unguest
          Source: 74ed218c_by_Libranalysis.exeString found in binary or memory: https://github.com/unguest9WinForms_RecursiveFormCreate5WinForms_SeeInnerExceptionGProperty
          Source: 74ed218c_by_Libranalysis.exe, 00000001.00000002.340709877.0000000003215000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: 74ed218c_by_Libranalysis.exe, 00000001.00000002.338123907.00000000014AB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.378047898.0000000001680000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.378002260.0000000001650000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.594461458.0000000002880000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.593997073.0000000002780000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.341386451.00000000041C9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.74ed218c_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.74ed218c_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.74ed218c_by_Libranalysis.exe.4261998.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.378047898.0000000001680000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.378047898.0000000001680000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.378002260.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.378002260.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.594461458.0000000002880000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.594461458.0000000002880000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.593997073.0000000002780000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.593997073.0000000002780000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.341386451.00000000041C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.341386451.00000000041C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.74ed218c_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.74ed218c_by_Libranalysis.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.74ed218c_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.74ed218c_by_Libranalysis.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.74ed218c_by_Libranalysis.exe.4261998.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.74ed218c_by_Libranalysis.exe.4261998.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_004181B0 NtCreateFile,3_2_004181B0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_00418260 NtReadFile,3_2_00418260
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_004182E0 NtClose,3_2_004182E0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_00418390 NtAllocateVirtualMemory,3_2_00418390
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_00418392 NtAllocateVirtualMemory,3_2_00418392
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018099A0 NtCreateSection,LdrInitializeThunk,3_2_018099A0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01809910
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018098F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_018098F0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809840 NtDelayExecution,LdrInitializeThunk,3_2_01809840
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01809860
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01809A00
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809A20 NtResumeThread,LdrInitializeThunk,3_2_01809A20
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809A50 NtCreateFile,LdrInitializeThunk,3_2_01809A50
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018095D0 NtClose,LdrInitializeThunk,3_2_018095D0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809540 NtReadFile,LdrInitializeThunk,3_2_01809540
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809780 NtMapViewOfSection,LdrInitializeThunk,3_2_01809780
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018097A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_018097A0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809FE0 NtCreateMutant,LdrInitializeThunk,3_2_01809FE0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809710 NtQueryInformationToken,LdrInitializeThunk,3_2_01809710
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018096E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_018096E0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01809660
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018099D0 NtCreateProcessEx,3_2_018099D0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809950 NtQueueApcThread,3_2_01809950
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018098A0 NtWriteVirtualMemory,3_2_018098A0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809820 NtEnumerateKey,3_2_01809820
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0180B040 NtSuspendThread,3_2_0180B040
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0180A3B0 NtGetContextThread,3_2_0180A3B0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809B00 NtSetValueKey,3_2_01809B00
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809A80 NtOpenDirectoryObject,3_2_01809A80
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809A10 NtQuerySection,3_2_01809A10
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018095F0 NtQueryInformationFile,3_2_018095F0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809520 NtWaitForSingleObject,3_2_01809520
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0180AD30 NtSetContextThread,3_2_0180AD30
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809560 NtWriteFile,3_2_01809560
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0180A710 NtOpenProcessToken,3_2_0180A710
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809730 NtQueryVirtualMemory,3_2_01809730
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809760 NtOpenProcess,3_2_01809760
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0180A770 NtOpenThread,3_2_0180A770
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809770 NtSetInformationFile,3_2_01809770
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018096D0 NtCreateKey,3_2_018096D0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809610 NtEnumerateValueKey,3_2_01809610
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809650 NtQueryValueKey,3_2_01809650
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01809670 NtQueryInformationProcess,3_2_01809670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002AB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,7_2_002AB42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,7_2_002A58A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,7_2_002A84BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002AB4F8 NtQueryInformationToken,NtQueryInformationToken,7_2_002AB4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002AB4C0 NtQueryInformationToken,7_2_002AB4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002C6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,7_2_002C6D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002CB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,7_2_002CB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002C9AB4 NtSetInformationFile,7_2_002C9AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,7_2_002A83F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9A50 NtCreateFile,LdrInitializeThunk,7_2_02ED9A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_02ED9860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9840 NtDelayExecution,LdrInitializeThunk,7_2_02ED9840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED99A0 NtCreateSection,LdrInitializeThunk,7_2_02ED99A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_02ED9910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_02ED96E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED96D0 NtCreateKey,LdrInitializeThunk,7_2_02ED96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9FE0 NtCreateMutant,LdrInitializeThunk,7_2_02ED9FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9780 NtMapViewOfSection,LdrInitializeThunk,7_2_02ED9780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9710 NtQueryInformationToken,LdrInitializeThunk,7_2_02ED9710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED95D0 NtClose,LdrInitializeThunk,7_2_02ED95D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9540 NtReadFile,LdrInitializeThunk,7_2_02ED9540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9A80 NtOpenDirectoryObject,7_2_02ED9A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9A20 NtResumeThread,7_2_02ED9A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9A00 NtProtectVirtualMemory,7_2_02ED9A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9A10 NtQuerySection,7_2_02ED9A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EDA3B0 NtGetContextThread,7_2_02EDA3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9B00 NtSetValueKey,7_2_02ED9B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED98F0 NtReadVirtualMemory,7_2_02ED98F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED98A0 NtWriteVirtualMemory,7_2_02ED98A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EDB040 NtSuspendThread,7_2_02EDB040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9820 NtEnumerateKey,7_2_02ED9820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED99D0 NtCreateProcessEx,7_2_02ED99D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9950 NtQueueApcThread,7_2_02ED9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9660 NtAllocateVirtualMemory,7_2_02ED9660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9670 NtQueryInformationProcess,7_2_02ED9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9650 NtQueryValueKey,7_2_02ED9650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9610 NtEnumerateValueKey,7_2_02ED9610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED97A0 NtUnmapViewOfSection,7_2_02ED97A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9760 NtOpenProcess,7_2_02ED9760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EDA770 NtOpenThread,7_2_02EDA770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9770 NtSetInformationFile,7_2_02ED9770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9730 NtQueryVirtualMemory,7_2_02ED9730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EDA710 NtOpenProcessToken,7_2_02EDA710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED95F0 NtQueryInformationFile,7_2_02ED95F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9560 NtWriteFile,7_2_02ED9560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ED9520 NtWaitForSingleObject,7_2_02ED9520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EDAD30 NtSetContextThread,7_2_02EDAD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02798260 NtReadFile,7_2_02798260
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_027982E0 NtClose,7_2_027982E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_027981B0 NtCreateFile,7_2_027981B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002B6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,7_2_002B6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002B374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,7_2_002B374E
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_016C94A81_2_016C94A8
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_016CC1481_2_016CC148
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_016CA7581_2_016CA758
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA88A281_2_0BA88A28
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA878C01_2_0BA878C0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA818301_2_0BA81830
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA81D301_2_0BA81D30
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA863FA1_2_0BA863FA
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA862281_2_0BA86228
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA862191_2_0BA86219
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA832491_2_0BA83249
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA832581_2_0BA83258
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA818201_2_0BA81820
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA80F951_2_0BA80F95
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA80FD01_2_0BA80FD0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA85E291_2_0BA85E29
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA85E381_2_0BA85E38
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA81D1F1_2_0BA81D1F
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA83D611_2_0BA83D61
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA83D701_2_0BA83D70
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA8642D1_2_0BA8642D
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 1_2_0BA864501_2_0BA86450
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0041B9443_2_0041B944
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0041BB843_2_0041BB84
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_00408C4B3_2_00408C4B
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_00408C503_2_00408C50
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0041BCF53_2_0041BCF5
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0041C5ED3_2_0041C5ED
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0041B70F3_2_0041B70F
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017E41203_2_017E4120
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017CF9003_2_017CF900
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017E99BF3_2_017E99BF
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018920A83_2_018920A8
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017EA8303_2_017EA830
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018928EC3_2_018928EC
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018810023_2_01881002
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0189E8243_2_0189E824
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017F20A03_2_017F20A0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017DB0903_2_017DB090
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017EAB403_2_017EAB40
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018803DA3_2_018803DA
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0188DBD23_2_0188DBD2
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018723E33_2_018723E3
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017EA3093_2_017EA309
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01892B283_2_01892B28
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017FABD83_2_017FABD8
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0186CB4F3_2_0186CB4F
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017FEBB03_2_017FEBB0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017F138B3_2_017F138B
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018922AE3_2_018922AE
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017EB2363_2_017EB236
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01884AEF3_2_01884AEF
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0187FA2B3_2_0187FA2B
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01882D823_2_01882D82
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018925DD3_2_018925DD
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017C0D203_2_017C0D20
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01892D073_2_01892D07
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017DD5E03_2_017DD5E0
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01891D553_2_01891D55
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017F25813_2_017F2581
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017EB4773_2_017EB477
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_018844963_2_01884496
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017D841F3_2_017D841F
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0188D4663_2_0188D466
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0189DFCE3_2_0189DFCE
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01891FF13_2_01891FF1
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_017E6E303_2_017E6E30
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_01892EF73_2_01892EF7
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: 3_2_0188D6163_2_0188D616
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002AD8037_2_002AD803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002AE0407_2_002AE040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002C5CEA7_2_002C5CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A48E67_2_002A48E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A9CF07_2_002A9CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002C35067_2_002C3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002B19697_2_002B1969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002B65507_2_002B6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A71907_2_002A7190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002C31DC7_2_002C31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A52267_2_002A5226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002AFA307_2_002AFA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A5E707_2_002A5E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002A8AD77_2_002A8AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002ACB487_2_002ACB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002C6FF07_2_002C6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_002B5FC87_2_002B5FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F54AEF7_2_02F54AEF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F622AE7_2_02F622AE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EBB2367_2_02EBB236
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F4FA2B7_2_02F4FA2B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F423E37_2_02F423E3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F5DBD27_2_02F5DBD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F503DA7_2_02F503DA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ECABD87_2_02ECABD8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02ECEBB07_2_02ECEBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EC138B7_2_02EC138B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EBAB407_2_02EBAB40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F3CB4F7_2_02F3CB4F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F62B287_2_02F62B28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EBA3097_2_02EBA309
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F628EC7_2_02F628EC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EC20A07_2_02EC20A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F620A87_2_02F620A8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EAB0907_2_02EAB090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F6E8247_2_02F6E824
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EBA8307_2_02EBA830
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F510027_2_02F51002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EB99BF7_2_02EB99BF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EB41207_2_02EB4120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02E9F9007_2_02E9F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F62EF77_2_02F62EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EB6E307_2_02EB6E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F5D6167_2_02F5D616
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F61FF17_2_02F61FF1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F6DFCE7_2_02F6DFCE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F544967_2_02F54496
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F5D4667_2_02F5D466
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EBB4777_2_02EBB477
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EA841F7_2_02EA841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EAD5E07_2_02EAD5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F625DD7_2_02F625DD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02EC25817_2_02EC2581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F52D827_2_02F52D82
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F61D557_2_02F61D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02E90D207_2_02E90D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02F62D077_2_02F62D07
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0279BB847_2_0279BB84
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0279B9447_2_0279B944
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02782FB07_2_02782FB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02788C507_2_02788C50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02788C4B7_2_02788C4B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0279BCF57_2_0279BCF5
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_0279C5ED7_2_0279C5ED
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 7_2_02782D907_2_02782D90
          Source: C:\Users\user\Desktop\74ed218c_by_Libranalysis.exeCode function: String function: 017CB150 appears 136 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 02E9B150 appears 136 times
          Source: 74ed218c_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 74ed218c_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 74ed218c_by_Libranalysis.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: 74ed218c_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 74ed218c_by_Libranalysis.exe
          Source: 74ed218c_by_Libranalysis.exe, 00000001.00000003.333147033.000000000432A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs 74ed218c_by_Libranalysis.exe
          Source: 74ed218c_by_Libranalysis.exe, 00000001.00000002.340649422.00000000031C1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs 74ed218c_by_Libranalysis.exe
          Source: 74ed218c_by_Libranalysis.exeBinary or memory string: OriginalFilename vs 74ed218c_by_Libranalysis.exe
          Source: 74ed218c_by_Libranalysis.exe, 00000003.00000002.378205032.000000000173D000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs 74ed218c_by_Libranalysis.exe
          Source: 74ed218c_by_Libranalysis.exe, 00000003.00000002.378356516.00000000018BF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 74ed218c_by_Libranalysis.exe
          Source: 74ed218c_by_Libranalysis.exeBinary or memory string: OriginalFilenameIBuiltInPermission.exe6 vs 74ed218c_by_Libranalysis.exe
          Source: 74ed218c_by_Libranalysis.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.377542690.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.378047898.0000000001680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.378047898.0000000001680000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.378002260.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.378002260.0000000001650000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.594461458.0000000002880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.594461458.0000000002880000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.593997073.0000000002780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.593997073.0000000002780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.341386451.00000000041C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = au