Loading ...

Play interactive tourEdit tour

Analysis Report TT.exe

Overview

General Information

Sample Name:TT.exe
Analysis ID:403976
MD5:27c863c479b0542b3bad21a67ad1406d
SHA1:791e1d123c275ac4451c5550635c0a67eb4398a6
SHA256:2a7a9c6d4505766ddf0a6c7dde9c2ae52369408fbe5ce93d0d3d76bf992b28dd
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: System File Execution Location Anomaly
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • TT.exe (PID: 6588 cmdline: 'C:\Users\user\Desktop\TT.exe' MD5: 27C863C479B0542B3BAD21A67AD1406D)
    • TT.exe (PID: 6624 cmdline: 'C:\Users\user\Desktop\TT.exe' MD5: 27C863C479B0542B3BAD21A67AD1406D)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 7052 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 6640 cmdline: /c del 'C:\Users\user\Desktop\TT.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.TT.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.TT.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.TT.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        1.2.TT.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.2.TT.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: System File Execution Location AnomalyShow sources
          Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\explorer.exe, NewProcessName: C:\Windows\explorer.exe, OriginalFileName: C:\Windows\explorer.exe, ParentCommandLine: 'C:\Users\user\Desktop\TT.exe' , ParentImage: C:\Users\user\Desktop\TT.exe, ParentProcessId: 6624, ProcessCommandLine: , ProcessId: 3440
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3440, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 7052

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.knighttechinca.com/dxe/"], "decoy": ["sardarfarm.com", "959tremont.com", "privat-livecam.net", "ansel-homebakery.com", "joysupermarket.com", "peninsulamatchmakers.net", "northsytyle.com", "radioconexaoubermusic.com", "relocatingrealtor.com", "desyrnan.com", "onlinehoortoestel.online", "enpointe.online", "rvvikings.com", "paulpoirier.com", "shitarpa.net", "kerneis.net", "rokitreach.com", "essentiallygaia.com", "prestiged.net", "fuerzaagavera.com", "soukid.com", "moderndatingcoach.com", "mentalfreedom.guru", "bullishsoftware.com", "sectorulb.com", "outletyana.com", "fptplaybox.website", "artinmemory.com", "buyruon.com", "ljd.xyz", "mondaysmatters.com", "spiritsoundart.net", "ixiangzu.com", "lacompagniadelfardello.com", "bnctly.com", "sarasvati-yoga.com", "0055game.com", "lagrangewildliferemoval.com", "umlausa.com", "chaytel.com", "kkkc5.com", "union-green.com", "philreid4cc.com", "theanimehat.com", "redlightlegal.com", "myaustraliarewards.com", "barkinlot.com", "mujahidservice.online", "nugeneraonline.com", "sopplugin.com", "makemyroom.design", "ferienschweden.com", "fps2020dkasphotoop.com", "stylezbykay.com", "royalpropertiesgurugram.com", "birzulova.com", "cosmicmtn.com", "kissanime.press", "poweringprogress.today", "omsamedic.com", "drunkpoetsociety.com", "hostbison.com", "asapdecor.com", "houseofsisson.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: TT.exeVirustotal: Detection: 25%Perma Link
          Source: TT.exeReversingLabs: Detection: 40%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: TT.exeJoe Sandbox ML: detected
          Source: 1.2.TT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.TT.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.TT.exe.3030000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: TT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: TT.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.366025907.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: msdt.pdbGCTL source: TT.exe, 00000001.00000002.396335168.0000000002810000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: TT.exe, 00000000.00000003.331979334.0000000003060000.00000004.00000001.sdmp, TT.exe, 00000001.00000002.393874457.0000000000B4F000.00000040.00000001.sdmp, msdt.exe, 00000007.00000002.598843723.0000000004DFF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: TT.exe, msdt.exe
          Source: Binary string: msdt.pdb source: TT.exe, 00000001.00000002.396335168.0000000002810000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.366025907.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\TT.exeCode function: 0_2_004059F0 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,0_2_004059F0
          Source: C:\Users\user\Desktop\TT.exeCode function: 0_2_0040659C FindFirstFileA,FindClose,0_2_0040659C
          Source: C:\Users\user\Desktop\TT.exeCode function: 0_2_004027A1 FindFirstFileA,0_2_004027A1

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.knighttechinca.com/dxe/
          Source: global trafficHTTP traffic detected: GET /dxe/?oZN=7nbLudZHS&mdslXXV=s4725d3Oabb4GJPvvzs1NGtrQqdCSFbT14B5hiC+hEbCkkM6v8NMU0M9YHV7hr/JdwNsVvK8Ug== HTTP/1.1Host: www.philreid4cc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?mdslXXV=c1qXo+D3OeWS7aQwzsMJrh0J2W+ZcnXSIybZATOUAxrA4uZvd+OeJvPZ6sfOQ4L/XOcBlc02WQ==&oZN=7nbLudZHS HTTP/1.1Host: www.sectorulb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?oZN=7nbLudZHS&mdslXXV=pSmvUx3Cd9o2ehLRUYmTuUG+rz67XAZoYuLBzxOhEanl5TCXMyweO2X8MqC68oVFQcjckZtQvA== HTTP/1.1Host: www.lagrangewildliferemoval.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 192.0.78.24 192.0.78.24
          Source: Joe Sandbox ViewASN Name: AUTOMATTICUS AUTOMATTICUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: global trafficHTTP traffic detected: GET /dxe/?oZN=7nbLudZHS&mdslXXV=s4725d3Oabb4GJPvvzs1NGtrQqdCSFbT14B5hiC+hEbCkkM6v8NMU0M9YHV7hr/JdwNsVvK8Ug== HTTP/1.1Host: www.philreid4cc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?mdslXXV=c1qXo+D3OeWS7aQwzsMJrh0J2W+ZcnXSIybZATOUAxrA4uZvd+OeJvPZ6sfOQ4L/XOcBlc02WQ==&oZN=7nbLudZHS HTTP/1.1Host: www.sectorulb.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dxe/?oZN=7nbLudZHS&mdslXXV=pSmvUx3Cd9o2ehLRUYmTuUG+rz67XAZoYuLBzxOhEanl5TCXMyweO2X8MqC68oVFQcjckZtQvA== HTTP/1.1Host: www.lagrangewildliferemoval.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.philreid4cc.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 May 2021 13:43:34 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: TT.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: TT.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000002.596476580.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.361956304.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\TT.exeCode function: 0_2_0040548D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040548D

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.335739935.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.344692024.0000000003030000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.597417500.0000000002F90000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.392976261.00000000005E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.TT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TT.exe.3030000.4.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TT.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.TT.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.TT.exe.3030000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00419D60 NtCreateFile,1_2_00419D60
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00419E10 NtReadFile,1_2_00419E10
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00419E90 NtClose,1_2_00419E90
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00419F40 NtAllocateVirtualMemory,1_2_00419F40
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00419D5A NtCreateFile,1_2_00419D5A
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00419E0A NtReadFile,1_2_00419E0A
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00419E8A NtClose,1_2_00419E8A
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00419F3A NtAllocateVirtualMemory,1_2_00419F3A
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A998F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_00A998F0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99860 NtQuerySystemInformation,LdrInitializeThunk,1_2_00A99860
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99840 NtDelayExecution,LdrInitializeThunk,1_2_00A99840
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A999A0 NtCreateSection,LdrInitializeThunk,1_2_00A999A0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_00A99910
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99A20 NtResumeThread,LdrInitializeThunk,1_2_00A99A20
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_00A99A00
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99A50 NtCreateFile,LdrInitializeThunk,1_2_00A99A50
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A995D0 NtClose,LdrInitializeThunk,1_2_00A995D0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99540 NtReadFile,LdrInitializeThunk,1_2_00A99540
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A996E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_00A996E0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_00A99660
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A997A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_00A997A0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99780 NtMapViewOfSection,LdrInitializeThunk,1_2_00A99780
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99710 NtQueryInformationToken,LdrInitializeThunk,1_2_00A99710
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A998A0 NtWriteVirtualMemory,1_2_00A998A0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99820 NtEnumerateKey,1_2_00A99820
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A9B040 NtSuspendThread,1_2_00A9B040
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A999D0 NtCreateProcessEx,1_2_00A999D0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99950 NtQueueApcThread,1_2_00A99950
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99A80 NtOpenDirectoryObject,1_2_00A99A80
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99A10 NtQuerySection,1_2_00A99A10
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A9A3B0 NtGetContextThread,1_2_00A9A3B0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99B00 NtSetValueKey,1_2_00A99B00
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A995F0 NtQueryInformationFile,1_2_00A995F0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99520 NtWaitForSingleObject,1_2_00A99520
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A9AD30 NtSetContextThread,1_2_00A9AD30
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99560 NtWriteFile,1_2_00A99560
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A996D0 NtCreateKey,1_2_00A996D0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99610 NtEnumerateValueKey,1_2_00A99610
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99670 NtQueryInformationProcess,1_2_00A99670
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99650 NtQueryValueKey,1_2_00A99650
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99FE0 NtCreateMutant,1_2_00A99FE0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99730 NtQueryVirtualMemory,1_2_00A99730
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A9A710 NtOpenProcessToken,1_2_00A9A710
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99760 NtOpenProcess,1_2_00A99760
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A99770 NtSetInformationFile,1_2_00A99770
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A9A770 NtOpenThread,1_2_00A9A770
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_00419D60 NtCreateFile,1_1_00419D60
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_00419E10 NtReadFile,1_1_00419E10
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_00419E90 NtClose,1_1_00419E90
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_00419F40 NtAllocateVirtualMemory,1_1_00419F40
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_00419D5A NtCreateFile,1_1_00419D5A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49840 NtDelayExecution,LdrInitializeThunk,7_2_04D49840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49860 NtQuerySystemInformation,LdrInitializeThunk,7_2_04D49860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D495D0 NtClose,LdrInitializeThunk,7_2_04D495D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D499A0 NtCreateSection,LdrInitializeThunk,7_2_04D499A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49540 NtReadFile,LdrInitializeThunk,7_2_04D49540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_04D49910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D496D0 NtCreateKey,LdrInitializeThunk,7_2_04D496D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D496E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_04D496E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49650 NtQueryValueKey,LdrInitializeThunk,7_2_04D49650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49A50 NtCreateFile,LdrInitializeThunk,7_2_04D49A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_04D49660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49FE0 NtCreateMutant,LdrInitializeThunk,7_2_04D49FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49780 NtMapViewOfSection,LdrInitializeThunk,7_2_04D49780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49710 NtQueryInformationToken,LdrInitializeThunk,7_2_04D49710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D498F0 NtReadVirtualMemory,7_2_04D498F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D498A0 NtWriteVirtualMemory,7_2_04D498A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D4B040 NtSuspendThread,7_2_04D4B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49820 NtEnumerateKey,7_2_04D49820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D499D0 NtCreateProcessEx,7_2_04D499D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D495F0 NtQueryInformationFile,7_2_04D495F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49950 NtQueueApcThread,7_2_04D49950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49560 NtWriteFile,7_2_04D49560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D4AD30 NtSetContextThread,7_2_04D4AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49520 NtWaitForSingleObject,7_2_04D49520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49A80 NtOpenDirectoryObject,7_2_04D49A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49670 NtQueryInformationProcess,7_2_04D49670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49610 NtEnumerateValueKey,7_2_04D49610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49A10 NtQuerySection,7_2_04D49A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49A00 NtProtectVirtualMemory,7_2_04D49A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49A20 NtResumeThread,7_2_04D49A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D4A3B0 NtGetContextThread,7_2_04D4A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D497A0 NtUnmapViewOfSection,7_2_04D497A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49770 NtSetInformationFile,7_2_04D49770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D4A770 NtOpenThread,7_2_04D4A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49760 NtOpenProcess,7_2_04D49760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D4A710 NtOpenProcessToken,7_2_04D4A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49B00 NtSetValueKey,7_2_04D49B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D49730 NtQueryVirtualMemory,7_2_04D49730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007D9D60 NtCreateFile,7_2_007D9D60
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007D9E10 NtReadFile,7_2_007D9E10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007D9E90 NtClose,7_2_007D9E90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007D9F40 NtAllocateVirtualMemory,7_2_007D9F40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007D9D5A NtCreateFile,7_2_007D9D5A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007D9E0A NtReadFile,7_2_007D9E0A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007D9E8A NtClose,7_2_007D9E8A
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007D9F3A NtAllocateVirtualMemory,7_2_007D9F3A
          Source: C:\Users\user\Desktop\TT.exeCode function: 0_2_00403461 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_00403461
          Source: C:\Users\user\Desktop\TT.exeCode function: 0_2_004069250_2_00406925
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_0041E1FC1_2_0041E1FC
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_0041D2601_2_0041D260
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_0041DA2A1_2_0041DA2A
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_0041BDC41_2_0041BDC4
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00409E401_2_00409E40
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00409E3C1_2_00409E3C
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_0041D6DF1_2_0041D6DF
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_0041DFA31_2_0041DFA3
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A820A01_2_00A820A0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B220A81_2_00B220A8
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A6B0901_2_00A6B090
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B228EC1_2_00B228EC
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B110021_2_00B11002
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A741201_2_00A74120
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A5F9001_2_00A5F900
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B222AE1_2_00B222AE
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A8EBB01_2_00A8EBB0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B1DBD21_2_00B1DBD2
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B22B281_2_00B22B28
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A6841F1_2_00A6841F
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B1D4661_2_00B1D466
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A825811_2_00A82581
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A6D5E01_2_00A6D5E0
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B225DD1_2_00B225DD
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A50D201_2_00A50D20
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B22D071_2_00B22D07
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B21D551_2_00B21D55
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B22EF71_2_00B22EF7
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00A76E301_2_00A76E30
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_2_00B21FF11_2_00B21FF1
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_0041E1FC1_1_0041E1FC
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_0041D2601_1_0041D260
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_0041DA2A1_1_0041DA2A
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_0041BDC41_1_0041BDC4
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Users\user\Desktop\TT.exeCode function: 1_1_00409E401_1_00409E40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DD28EC7_2_04DD28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D1B0907_2_04D1B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D320A07_2_04D320A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DD20A87_2_04DD20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DCD4667_2_04DCD466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D1841F7_2_04D1841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DC10027_2_04DC1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DD25DD7_2_04DD25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D1D5E07_2_04D1D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D325817_2_04D32581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DD1D557_2_04DD1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D0F9007_2_04D0F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DD2D077_2_04DD2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D00D207_2_04D00D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D241207_2_04D24120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DD2EF77_2_04DD2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DD22AE7_2_04DD22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D26E307_2_04D26E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DCDBD27_2_04DCDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DD1FF17_2_04DD1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04D3EBB07_2_04D3EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_04DD2B287_2_04DD2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007DE1FC7_2_007DE1FC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007DBDC47_2_007DBDC4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007C2D907_2_007C2D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007C9E407_2_007C9E40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007C9E3C7_2_007C9E3C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007C2FB07_2_007C2FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 7_2_007DDFA37_2_007DDFA3
          Source: C:\Users\user\Desktop\TT.exeCode function: String function: 00A5B150 appears 35 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04D0B150 appears 35 times
          Source: TT.exe, 00000000.00000003.334832337.000000000333F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TT.exe
          Source: TT.exe, 00000001.00000002.396335168.0000000002810000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs TT.exe
          Source: TT.exe, 00000001.00000002.393874457.0000000000B4F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs TT.exe
          Source: TT.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.597321036.0000000002F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.392835395.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.393512483.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.595686544.00000000007C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memo<