Loading ...

Play interactive tourEdit tour

Analysis Report UGGJ4NnzFz

Overview

General Information

Sample Name:UGGJ4NnzFz (renamed file extension from none to exe)
Analysis ID:432566
MD5:b148ae414eb8a1b34a15cdb32c21f9ee
SHA1:25b78f76010cc34843352c78d4f8e07a28b46b32
SHA256:193788545c12c697fe660e9dd178e5d97478d5b90d5b0096f1cd6a9b641d48e9
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • UGGJ4NnzFz.exe (PID: 4884 cmdline: 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' MD5: B148AE414EB8A1B34A15CDB32C21F9EE)
    • UGGJ4NnzFz.exe (PID: 5520 cmdline: 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' MD5: B148AE414EB8A1B34A15CDB32C21F9EE)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 6512 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 6668 cmdline: /c del 'C:\Users\user\Desktop\UGGJ4NnzFz.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6676 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166b9:$sqlite3step: 68 34 1C 7B E1
    • 0x167cc:$sqlite3step: 68 34 1C 7B E1
    • 0x166e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1680d:$sqlite3text: 68 38 2A 90 C5
    • 0x166fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16823:$sqlite3blob: 68 53 D8 7F 8C
    00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.1.UGGJ4NnzFz.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.1.UGGJ4NnzFz.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13895:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13381:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13997:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b0f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x859a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9312:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18987:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.1.UGGJ4NnzFz.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158b9:$sqlite3step: 68 34 1C 7B E1
        • 0x159cc:$sqlite3step: 68 34 1C 7B E1
        • 0x158e8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a0d:$sqlite3text: 68 38 2A 90 C5
        • 0x158fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a23:$sqlite3blob: 68 53 D8 7F 8C
        1.1.UGGJ4NnzFz.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.UGGJ4NnzFz.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.rebeccannemontgomery.net/dp3a/"], "decoy": ["frayl.com", "utmostroofing.com", "galactigames.com", "kingguardgroup.com", "goldinsacks.com", "platinumcreditrepair.net", "sw-advisers.com", "ininjawebtech.com", "spectrurnvisionpartners.com", "freshdeliciousberryfarm.com", "12796.xyz", "goldgrandpa.com", "chicago-trading.academy", "newstechealth.com", "pecon.pro", "2dmaxximumrecords.com", "athrivingthirtysomething.com", "universalphonemarket.com", "motivationinterviewsinc.com", "virtualrealty.tours", "bring-wellness.com", "fengshuimingshi.com", "urbanpite.com", "28ji.site", "xuanpei.net", "letstrumpbiden.com", "xtremetechtv.com", "leyardzm.net", "funemoke.net", "closetofaurora.com", "theyogirunner.com", "pmbcommercial.com", "michiganpsychologist.com", "foodandbio.com", "goodlukc.com", "kingofkingslovesyou.com", "topazsnacks.com", "vinpearlnhatrangbay.com", "24x7dream.com", "attafine.com", "hireinone.xyz", "growwithjenn.com", "fortworthsurrogacy.com", "kladios.com", "aishark.net", "havenparent.com", "elementaryelegance.com", "moulardfarms.net", "tomrings.com", "allyexpense.com", "juleshypnosis.com", "rboxtogo.com", "restorey.com", "oilleakgames.com", "protectpursuit.com", "checkitreviews.com", "jeremypohu.com", "mnanoramaonline.com", "xn--instagrm-fza.com", "fianser.com", "www-338616.com", "woollardhenry.com", "reviewdrkofford.com", "vandalvans.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: UGGJ4NnzFz.exeVirustotal: Detection: 29%Perma Link
          Source: UGGJ4NnzFz.exeReversingLabs: Detection: 29%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: UGGJ4NnzFz.exeJoe Sandbox ML: detected
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 9.2.cmmon32.exe.624368.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 9.2.cmmon32.exe.4a87960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: UGGJ4NnzFz.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: cmmon32.pdb source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: UGGJ4NnzFz.exe, 00000001.00000002.274327095.0000000000930000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: UGGJ4NnzFz.exe, 00000000.00000003.212550994.0000000009A50000.00000004.00000001.sdmp, UGGJ4NnzFz.exe, 00000001.00000002.274348250.0000000000970000.00000040.00000001.sdmp, cmmon32.exe, 00000009.00000002.477934562.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: UGGJ4NnzFz.exe, cmmon32.exe
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\Desktop\UGGJ4NnzFz.exeJump to behavior
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\AppData\Local\Temp\nsyA3E3.tmpJump to behavior
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\AppData\Local\Temp\dceotuvjnitpzJump to behavior
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile opened: C:\Users\user\AppData\Local\Temp\6jlp0t221b5inmotwb6Jump to behavior
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 4x nop then pop esi1_2_0041583E
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 4x nop then pop ebx1_2_00406A96
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop esi9_2_003B583E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop ebx9_2_003A6A96

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49741 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 157.245.232.77:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 157.245.232.77:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49743 -> 157.245.232.77:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49744 -> 23.227.38.74:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 62.149.128.40:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 62.149.128.40:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49747 -> 62.149.128.40:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.rebeccannemontgomery.net/dp3a/
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=fFin23A3InOxv8Q1OZSqiWR/FjS3KuFpXPcC+roY+PuFOGx4uYNLJpybUr51Ny74Rks0&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.protectpursuit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=DH0B3lUhAa5VBPw8nCCOXpLU24maY23yGmrt22qj0kvQjGAaKYYXdT0Mh/TRCK5k4cmX HTTP/1.1Host: www.freshdeliciousberryfarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.sw-advisers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrR HTTP/1.1Host: www.goldgrandpa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvP HTTP/1.1Host: www.goldinsacks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5aqQrTWYg/sJi HTTP/1.1Host: www.growwithjenn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.bring-wellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 62.149.128.40 62.149.128.40
          Source: Joe Sandbox ViewIP Address: 160.153.136.3 160.153.136.3
          Source: Joe Sandbox ViewASN Name: ARUBA-ASNIT ARUBA-ASNIT
          Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
          Source: Joe Sandbox ViewASN Name: GODADDY-AMSDE GODADDY-AMSDE
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=fFin23A3InOxv8Q1OZSqiWR/FjS3KuFpXPcC+roY+PuFOGx4uYNLJpybUr51Ny74Rks0&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.protectpursuit.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=DH0B3lUhAa5VBPw8nCCOXpLU24maY23yGmrt22qj0kvQjGAaKYYXdT0Mh/TRCK5k4cmX HTTP/1.1Host: www.freshdeliciousberryfarm.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=76AMkVxxuSKB5pgh4RNc3EipO3rbFW8MEUNJys/eLa/AxdTMjRac1XeBowoP/wZORJRk&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.sw-advisers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=GkWHDDYMiWr4Ju0U4teKyAR8hKcpKlGmV2ZHyKwA/bXhSAEvQCtqjiLuXtjyxk2BGjrR HTTP/1.1Host: www.goldgrandpa.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkTQi7ynUSvkYXlrnDKiUoE/Bv6J35YIy7pKLvP HTTP/1.1Host: www.goldinsacks.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=WU2tAheQ8tcf93YEudKDnPgih3iSbxP+RxOmhUzH4Gc7ohEPLFzZpUy5aqQrTWYg/sJi HTTP/1.1Host: www.growwithjenn.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /dp3a/?rTWxa=F+NQG3wr2qmzRibT9BAJK2aVObQEDzb5Y6jfukgEe6sv7RNklleEIbtQ/MsGh07J4TVQ&qXtd=VpFTeL6xRNZ0stZ0 HTTP/1.1Host: www.bring-wellness.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.allyexpense.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 10 Jun 2021 12:36:41 GMTContent-Length: 0Connection: closeVary: Origin
          Source: explorer.exe, 00000005.00000000.243022524.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: UGGJ4NnzFz.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: UGGJ4NnzFz.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: cmmon32.exe, 00000009.00000002.479471132.0000000004C02000.00000004.00000001.sdmpString found in binary or memory: http://www.goldinsacks.com:80/dp3a/?qXtd=VpFTeL6xRNZ0stZ0&rTWxa=2EHAYBF9OrZScLBFfnY/kB1lNYuVodkT
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.243294084.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042
          Source: UGGJ4NnzFz.exe, 00000000.00000002.219983630.00000000006FA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004181C0 NtCreateFile,1_2_004181C0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00418270 NtReadFile,1_2_00418270
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004182F0 NtClose,1_2_004182F0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004183A0 NtAllocateVirtualMemory,1_2_004183A0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004181BC NtCreateFile,1_2_004181BC
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004182EB NtClose,1_2_004182EB
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041839B NtAllocateVirtualMemory,1_2_0041839B
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_009D98F0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,1_2_009D9840
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_009D9860
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,1_2_009D99A0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_009D9910
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_009D9A00
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,1_2_009D9A20
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,1_2_009D9A50
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D95D0 NtClose,LdrInitializeThunk,1_2_009D95D0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,1_2_009D9540
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_009D96E0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_009D9660
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,1_2_009D9780
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_009D97A0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9FE0 NtCreateMutant,LdrInitializeThunk,1_2_009D9FE0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,1_2_009D9710
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D98A0 NtWriteVirtualMemory,1_2_009D98A0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9820 NtEnumerateKey,1_2_009D9820
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009DB040 NtSuspendThread,1_2_009DB040
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D99D0 NtCreateProcessEx,1_2_009D99D0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9950 NtQueueApcThread,1_2_009D9950
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A80 NtOpenDirectoryObject,1_2_009D9A80
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9A10 NtQuerySection,1_2_009D9A10
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009DA3B0 NtGetContextThread,1_2_009DA3B0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9B00 NtSetValueKey,1_2_009D9B00
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D95F0 NtQueryInformationFile,1_2_009D95F0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009DAD30 NtSetContextThread,1_2_009DAD30
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9520 NtWaitForSingleObject,1_2_009D9520
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9560 NtWriteFile,1_2_009D9560
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D96D0 NtCreateKey,1_2_009D96D0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9610 NtEnumerateValueKey,1_2_009D9610
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9650 NtQueryValueKey,1_2_009D9650
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9670 NtQueryInformationProcess,1_2_009D9670
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009DA710 NtOpenProcessToken,1_2_009DA710
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009D9730 NtQueryVirtualMemory,1_2_009D9730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9540 NtReadFile,LdrInitializeThunk,9_2_045B9540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B95D0 NtClose,LdrInitializeThunk,9_2_045B95D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9650 NtQueryValueKey,LdrInitializeThunk,9_2_045B9650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk,9_2_045B9660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B96D0 NtCreateKey,LdrInitializeThunk,9_2_045B96D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk,9_2_045B96E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9710 NtQueryInformationToken,LdrInitializeThunk,9_2_045B9710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9FE0 NtCreateMutant,LdrInitializeThunk,9_2_045B9FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9780 NtMapViewOfSection,LdrInitializeThunk,9_2_045B9780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9840 NtDelayExecution,LdrInitializeThunk,9_2_045B9840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk,9_2_045B9860
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,9_2_045B9910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B99A0 NtCreateSection,LdrInitializeThunk,9_2_045B99A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A50 NtCreateFile,LdrInitializeThunk,9_2_045B9A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9560 NtWriteFile,9_2_045B9560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BAD30 NtSetContextThread,9_2_045BAD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9520 NtWaitForSingleObject,9_2_045B9520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B95F0 NtQueryInformationFile,9_2_045B95F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9670 NtQueryInformationProcess,9_2_045B9670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9610 NtEnumerateValueKey,9_2_045B9610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BA770 NtOpenThread,9_2_045BA770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9770 NtSetInformationFile,9_2_045B9770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9760 NtOpenProcess,9_2_045B9760
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BA710 NtOpenProcessToken,9_2_045BA710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9730 NtQueryVirtualMemory,9_2_045B9730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B97A0 NtUnmapViewOfSection,9_2_045B97A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BB040 NtSuspendThread,9_2_045BB040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9820 NtEnumerateKey,9_2_045B9820
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B98F0 NtReadVirtualMemory,9_2_045B98F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B98A0 NtWriteVirtualMemory,9_2_045B98A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9950 NtQueueApcThread,9_2_045B9950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B99D0 NtCreateProcessEx,9_2_045B99D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A10 NtQuerySection,9_2_045B9A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A00 NtProtectVirtualMemory,9_2_045B9A00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A20 NtResumeThread,9_2_045B9A20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9A80 NtOpenDirectoryObject,9_2_045B9A80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045B9B00 NtSetValueKey,9_2_045B9B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045BA3B0 NtGetContextThread,9_2_045BA3B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B81C0 NtCreateFile,9_2_003B81C0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B8270 NtReadFile,9_2_003B8270
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B82F0 NtClose,9_2_003B82F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B83A0 NtAllocateVirtualMemory,9_2_003B83A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B81BC NtCreateFile,9_2_003B81BC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B82EB NtClose,9_2_003B82EB
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003B839B NtAllocateVirtualMemory,9_2_003B839B
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_004048530_2_00404853
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_004061310_2_00406131
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_73751A980_2_73751A98
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041D0421_2_0041D042
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041CB691_2_0041CB69
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00408C5B1_2_00408C5B
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00408C601_2_00408C60
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0041CF4E1_2_0041CF4E
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AB0901_2_009AB090
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A620A81_2_00A620A8
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C20A01_2_009C20A0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A628EC1_2_00A628EC
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A6E8241_2_00A6E824
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A510021_2_00A51002
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BA8301_2_009BA830
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B99BF1_2_009B99BF
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_0099F9001_2_0099F900
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B41201_2_009B4120
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A622AE1_2_00A622AE
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A4FA2B1_2_00A4FA2B
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009CEBB01_2_009CEBB0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5DBD21_2_00A5DBD2
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A503DA1_2_00A503DA
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A62B281_2_00A62B28
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009BAB401_2_009BAB40
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009A841F1_2_009A841F
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5D4661_2_00A5D466
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009C25811_2_009C2581
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009AD5E01_2_009AD5E0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A625DD1_2_00A625DD
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A62D071_2_00A62D07
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00990D201_2_00990D20
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A61D551_2_00A61D55
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A62EF71_2_00A62EF7
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_009B6E301_2_009B6E30
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A5D6161_2_00A5D616
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A61FF11_2_00A61FF1
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 1_2_00A6DFCE1_2_00A6DFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463D4669_2_0463D466
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458841F9_2_0458841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04641D559_2_04641D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04642D079_2_04642D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04570D209_2_04570D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458D5E09_2_0458D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046425DD9_2_046425DD
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A25819_2_045A2581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04596E309_2_04596E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463D6169_2_0463D616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04642EF79_2_04642EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04641FF19_2_04641FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0464DFCE9_2_0464DFCE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0464E8249_2_0464E824
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046310029_2_04631002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459A8309_2_0459A830
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046428EC9_2_046428EC
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0458B0909_2_0458B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046420A89_2_046420A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045A20A09_2_045A20A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0457F9009_2_0457F900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045941209_2_04594120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045999BF9_2_045999BF
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0462FA2B9_2_0462FA2B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046422AE9_2_046422AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0459AB409_2_0459AB40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04642B289_2_04642B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_0463DBD29_2_0463DBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_046303DA9_2_046303DA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_045AEBB09_2_045AEBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BD0429_2_003BD042
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BCB699_2_003BCB69
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A8C609_2_003A8C60
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A8C5B9_2_003A8C5B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A2D909_2_003A2D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A2D879_2_003A2D87
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003BCF4E9_2_003BCF4E
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_003A2FB09_2_003A2FB0
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: String function: 0099B150 appears 72 times
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 0457B150 appears 72 times
          Source: UGGJ4NnzFz.exe, 00000000.00000003.217329027.00000000099D6000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UGGJ4NnzFz.exe
          Source: UGGJ4NnzFz.exe, 00000001.00000002.274341058.0000000000939000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs UGGJ4NnzFz.exe
          Source: UGGJ4NnzFz.exe, 00000001.00000002.274699413.0000000000C1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs UGGJ4NnzFz.exe
          Source: UGGJ4NnzFz.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.216556670.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.475444887.00000000003A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.477114884.00000000041D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.274028278.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.274258003.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000009.00000002.477190198.0000000004210000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.274280539.00000000008E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.220100225.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.UGGJ4NnzFz.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.UGGJ4NnzFz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/4@12/6
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404356
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 9_2_04587D72 FindResourceA,9_2_04587D72
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6676:120:WilError_01
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile created: C:\Users\user\AppData\Local\Temp\nsyA3E2.tmpJump to behavior
          Source: UGGJ4NnzFz.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\UGGJ4NnzFz.exeKey opened: HKEY_CURR