Loading ...

Play interactive tourEdit tour

Analysis Report SKlGhwkzTi

Overview

General Information

Sample Name:SKlGhwkzTi (renamed file extension from none to exe)
Analysis ID:432735
MD5:8252e0bd8e579259cc18ceae0c5c6d64
SHA1:242c3feb78e57de5c30b6f4f6b6d5d9b3332eb08
SHA256:21b3aba425cfa96bd3c5db2b306591a3a2aa1c8ee6fbdeddfdf60b5e1c0df0ea
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SKlGhwkzTi.exe (PID: 6896 cmdline: 'C:\Users\user\Desktop\SKlGhwkzTi.exe' MD5: 8252E0BD8E579259CC18CEAE0C5C6D64)
    • SKlGhwkzTi.exe (PID: 4484 cmdline: C:\Users\user\Desktop\SKlGhwkzTi.exe MD5: 8252E0BD8E579259CC18CEAE0C5C6D64)
      • explorer.exe (PID: 3424 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • help.exe (PID: 6296 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
        • cmd.exe (PID: 7140 cmdline: /c del 'C:\Users\user\Desktop\SKlGhwkzTi.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 6932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.SKlGhwkzTi.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.SKlGhwkzTi.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.2.SKlGhwkzTi.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        4.2.SKlGhwkzTi.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.SKlGhwkzTi.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 10 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
          Multi AV Scanner detection for domain / URLShow sources
          Source: adultpeace.comVirustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: SKlGhwkzTi.exeVirustotal: Detection: 31%Perma Link
          Source: SKlGhwkzTi.exeReversingLabs: Detection: 41%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: SKlGhwkzTi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: SKlGhwkzTi.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: SKlGhwkzTi.exe, 00000004.00000002.764137531.000000000195F000.00000040.00000001.sdmp, help.exe, 0000000D.00000002.918935858.00000000039A0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: SKlGhwkzTi.exe, help.exe
          Source: Binary string: help.pdbGCTL source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: SKlGhwkzTi.exe, 00000004.00000002.763881170.0000000001830000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.700218908.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02C315E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h0_2_02C315D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then pop edi4_2_00416282
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4x nop then pop ebx4_2_00406A94
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop edi13_2_032F6282
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx13_2_032E6A95

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 151.106.118.75:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 151.106.118.75:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49768 -> 151.106.118.75:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.169.223.13:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.169.223.13:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.4:49771 -> 192.169.223.13:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.hiddenwholesale.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.biztekno.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.69-1hn7uc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cyrilgraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.centergolosinas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 104.21.65.7 104.21.65.7
          Source: Joe Sandbox ViewIP Address: 198.185.159.144 198.185.159.144
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: Joe Sandbox ViewASN Name: PLUSSERVER-ASN1DE PLUSSERVER-ASN1DE
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=es7Y2j6d/8vbylETtmEK+cycNhd4T49F/A456A8m/a4HPEjAATL8KRpgCeYlIlfO3VWH&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.hiddenwholesale.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=ia0dgIkdnBZILDuo3zp8eo0tNiPxoXJfkPpt6P05AAGh3ZPzSagLTNX+xDwAHOv6iOkY&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.anewdistraction.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YLJeQ+Gz7y&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=IctutJlD1KzdQk/q9eJAOxuhjWEnlD6jXMe1IpO47rzJ4yHlcjfL6JMqKvIaYl5lDyXZ&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.biztekno.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=V9Q6YNEsmUTgun1x6j8RVRt0udPCykKEN/zK+I9/XCzeOC650o3noXQhbdRFxPUlYrbD&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.69-1hn7uc.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=PONkgH6MO5ViG+zjbj4YyU3gBn/U0y1OFStIgCLmvXYcYHdxqE5/6Lr2O25ts36CozLG&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.cyrilgraze.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?xN6x=r2GsjHfGgcaZI4XPmfqM84hqAY3LnZYXU2G/Xsttb0tqrt8DFa/RFFebhWMTMoil/lgU&YluDM=Ofc4YV0pThsp HTTP/1.1Host: www.centergolosinas.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.hiddenwholesale.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.679283133.0000000002DE1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000006.00000000.716763832.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: SKlGhwkzTi.exe, 00000000.00000002.687510936.0000000006F02000.00000004.00000001.sdmp, explorer.exe, 00000006.00000000.707799994.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: help.exe, 0000000D.00000002.919483231.0000000004052000.00000004.00000001.sdmpString found in binary or memory: https://www.cyrilgraze.com/p2io/?xN6x=PONkgH6MO5ViG

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004181B0 NtCreateFile,4_2_004181B0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00418260 NtReadFile,4_2_00418260
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004182E0 NtClose,4_2_004182E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,4_2_00418390
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004182AC NtReadFile,4_2_004182AC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041838B NtAllocateVirtualMemory,4_2_0041838B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A99A0 NtCreateSection,LdrInitializeThunk,4_2_018A99A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,4_2_018A9910
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A98F0 NtReadVirtualMemory,LdrInitializeThunk,4_2_018A98F0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9840 NtDelayExecution,LdrInitializeThunk,4_2_018A9840
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9860 NtQuerySystemInformation,LdrInitializeThunk,4_2_018A9860
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A00 NtProtectVirtualMemory,LdrInitializeThunk,4_2_018A9A00
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A20 NtResumeThread,LdrInitializeThunk,4_2_018A9A20
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A50 NtCreateFile,LdrInitializeThunk,4_2_018A9A50
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A95D0 NtClose,LdrInitializeThunk,4_2_018A95D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9540 NtReadFile,LdrInitializeThunk,4_2_018A9540
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9780 NtMapViewOfSection,LdrInitializeThunk,4_2_018A9780
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A97A0 NtUnmapViewOfSection,LdrInitializeThunk,4_2_018A97A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9FE0 NtCreateMutant,LdrInitializeThunk,4_2_018A9FE0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9710 NtQueryInformationToken,LdrInitializeThunk,4_2_018A9710
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A96E0 NtFreeVirtualMemory,LdrInitializeThunk,4_2_018A96E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9660 NtAllocateVirtualMemory,LdrInitializeThunk,4_2_018A9660
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A99D0 NtCreateProcessEx,4_2_018A99D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9950 NtQueueApcThread,4_2_018A9950
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A98A0 NtWriteVirtualMemory,4_2_018A98A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9820 NtEnumerateKey,4_2_018A9820
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AB040 NtSuspendThread,4_2_018AB040
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AA3B0 NtGetContextThread,4_2_018AA3B0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9B00 NtSetValueKey,4_2_018A9B00
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A80 NtOpenDirectoryObject,4_2_018A9A80
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9A10 NtQuerySection,4_2_018A9A10
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A95F0 NtQueryInformationFile,4_2_018A95F0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9520 NtWaitForSingleObject,4_2_018A9520
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AAD30 NtSetContextThread,4_2_018AAD30
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9560 NtWriteFile,4_2_018A9560
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AA710 NtOpenProcessToken,4_2_018AA710
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9730 NtQueryVirtualMemory,4_2_018A9730
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9760 NtOpenProcess,4_2_018A9760
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018AA770 NtOpenThread,4_2_018AA770
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9770 NtSetInformationFile,4_2_018A9770
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A96D0 NtCreateKey,4_2_018A96D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9610 NtEnumerateValueKey,4_2_018A9610
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9650 NtQueryValueKey,4_2_018A9650
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018A9670 NtQueryInformationProcess,4_2_018A9670
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A50 NtCreateFile,LdrInitializeThunk,13_2_03A09A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A099A0 NtCreateSection,LdrInitializeThunk,13_2_03A099A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_03A09910
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09860 NtQuerySystemInformation,LdrInitializeThunk,13_2_03A09860
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09840 NtDelayExecution,LdrInitializeThunk,13_2_03A09840
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09780 NtMapViewOfSection,LdrInitializeThunk,13_2_03A09780
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09FE0 NtCreateMutant,LdrInitializeThunk,13_2_03A09FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09710 NtQueryInformationToken,LdrInitializeThunk,13_2_03A09710
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A096E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_03A096E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A096D0 NtCreateKey,LdrInitializeThunk,13_2_03A096D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09660 NtAllocateVirtualMemory,LdrInitializeThunk,13_2_03A09660
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09650 NtQueryValueKey,LdrInitializeThunk,13_2_03A09650
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A095D0 NtClose,LdrInitializeThunk,13_2_03A095D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09540 NtReadFile,LdrInitializeThunk,13_2_03A09540
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0A3B0 NtGetContextThread,13_2_03A0A3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09B00 NtSetValueKey,13_2_03A09B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A80 NtOpenDirectoryObject,13_2_03A09A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A20 NtResumeThread,13_2_03A09A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A00 NtProtectVirtualMemory,13_2_03A09A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09A10 NtQuerySection,13_2_03A09A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A099D0 NtCreateProcessEx,13_2_03A099D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09950 NtQueueApcThread,13_2_03A09950
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A098A0 NtWriteVirtualMemory,13_2_03A098A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A098F0 NtReadVirtualMemory,13_2_03A098F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09820 NtEnumerateKey,13_2_03A09820
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0B040 NtSuspendThread,13_2_03A0B040
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A097A0 NtUnmapViewOfSection,13_2_03A097A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09730 NtQueryVirtualMemory,13_2_03A09730
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0A710 NtOpenProcessToken,13_2_03A0A710
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09760 NtOpenProcess,13_2_03A09760
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0A770 NtOpenThread,13_2_03A0A770
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09770 NtSetInformationFile,13_2_03A09770
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09610 NtEnumerateValueKey,13_2_03A09610
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09670 NtQueryInformationProcess,13_2_03A09670
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A095F0 NtQueryInformationFile,13_2_03A095F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09520 NtWaitForSingleObject,13_2_03A09520
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A0AD30 NtSetContextThread,13_2_03A0AD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A09560 NtWriteFile,13_2_03A09560
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F8390 NtAllocateVirtualMemory,13_2_032F8390
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F8260 NtReadFile,13_2_032F8260
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F82E0 NtClose,13_2_032F82E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F81B0 NtCreateFile,13_2_032F81B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F838B NtAllocateVirtualMemory,13_2_032F838B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032F82AC NtReadFile,13_2_032F82AC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DB2840_2_014DB284
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DC2D00_2_014DC2D0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014D99B00_2_014D99B0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_014DDF9B0_2_014DDF9B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BE0E80_2_052BE0E8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BD2400_2_052BD240
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BDAE80_2_052BDAE8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BADF80_2_052BADF8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 0_2_052BAE080_2_052BAE08
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B8B14_2_0041B8B1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B9634_2_0041B963
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00408C4B4_2_00408C4B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00408C504_2_00408C50
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B4934_2_0041B493
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041B4964_2_0041B496
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041C5394_2_0041C539
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00402D894_2_00402D89
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041CE854_2_0041CE85
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041BF124_2_0041BF12
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0041C7954_2_0041C795
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0186F9004_2_0186F900
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018841204_2_01884120
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187B0904_2_0187B090
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018920A04_2_018920A0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019320A84_2_019320A8
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019328EC4_2_019328EC
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019210024_2_01921002
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193E8244_2_0193E824
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0189EBB04_2_0189EBB0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192DBD24_2_0192DBD2
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019203DA4_2_019203DA
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01932B284_2_01932B28
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019322AE4_2_019322AE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0191FA2B4_2_0191FA2B
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_018925814_2_01892581
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_019325DD4_2_019325DD
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187D5E04_2_0187D5E0
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01932D074_2_01932D07
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01860D204_2_01860D20
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01931D554_2_01931D55
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0187841F4_2_0187841F
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192D4664_2_0192D466
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0193DFCE4_2_0193DFCE
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01931FF14_2_01931FF1
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01932EF74_2_01932EF7
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_0192D6164_2_0192D616
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: 4_2_01886E304_2_01886E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039FEBB013_2_039FEBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8DBD213_2_03A8DBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A92B2813_2_03A92B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A922AE13_2_03A922AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039CF90013_2_039CF900
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E412013_2_039E4120
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A920A813_2_03A920A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DB09013_2_039DB090
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F20A013_2_039F20A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A928EC13_2_03A928EC
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8100213_2_03A81002
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A91FF113_2_03A91FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A92EF713_2_03A92EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039E6E3013_2_039E6E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8D61613_2_03A8D616
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039F258113_2_039F2581
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A925DD13_2_03A925DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039DD5E013_2_039DD5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A92D0713_2_03A92D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039C0D2013_2_039C0D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A91D5513_2_03A91D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_039D841F13_2_039D841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_03A8D46613_2_03A8D466
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB95413_2_032FB954
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB8B113_2_032FB8B1
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FBF1213_2_032FBF12
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E2FB013_2_032E2FB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FC79513_2_032FC795
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FCE8513_2_032FCE85
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FC53913_2_032FC539
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E2D8913_2_032E2D89
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E2D9013_2_032E2D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E8C4B13_2_032E8C4B
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032E8C5013_2_032E8C50
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB49613_2_032FB496
          Source: C:\Windows\SysWOW64\help.exeCode function: 13_2_032FB49313_2_032FB493
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeCode function: String function: 0186B150 appears 45 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 039CB150 appears 35 times
          Source: SKlGhwkzTi.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: SKlGhwkzTi.exeBinary or memory string: OriginalFilename vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.691758486.0000000008C10000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.678186974.0000000000942000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapOption.exe. vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.679347370.0000000002E23000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000000.00000002.691169517.0000000007480000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exeBinary or memory string: OriginalFilename vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000004.00000002.764137531.000000000195F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000004.00000002.761811924.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSoapOption.exe. vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exe, 00000004.00000002.763603378.00000000015A9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exeBinary or memory string: OriginalFilenameSoapOption.exe. vs SKlGhwkzTi.exe
          Source: SKlGhwkzTi.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.761631200.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.918580029.0000000003510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.677567627.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.918415309.00000000032E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.763395770.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.918604632.0000000003540000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.679714687.0000000003DE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.763453752.0000000001560000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.SKlGhwkzTi.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.SKlGhwkzTi.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.SKlGhwkzTi.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.SKlGhwkzTi.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.SKlGhwkzTi.exe.3de9930.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: SKlGhwkzTi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@8/7
          Source: C:\Users\user\Desktop\SKlGhwkzTi.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SKlGhwkzTi.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6932:120:WilError_01
          Source: SKlGhwkzTi.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_