Loading ...

Play interactive tourEdit tour

Analysis Report DNPr7t0GMY

Overview

General Information

Sample Name:DNPr7t0GMY (renamed file extension from none to exe)
Analysis ID:432808
MD5:f41951980d050c8fe13c8a2e31e55b94
SHA1:58be890ff4d29b2d17566420c0e455dbfccda9a8
SHA256:12f07790ce9303ed023131642a93d1b62ce4f3d5db8d35ed215d5b2bddc4ff93
Tags:exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • DNPr7t0GMY.exe (PID: 6428 cmdline: 'C:\Users\user\Desktop\DNPr7t0GMY.exe' MD5: F41951980D050C8FE13C8A2E31E55B94)
    • DNPr7t0GMY.exe (PID: 6588 cmdline: C:\Users\user\Desktop\DNPr7t0GMY.exe MD5: F41951980D050C8FE13C8A2E31E55B94)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 5876 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 4768 cmdline: /c del 'C:\Users\user\Desktop\DNPr7t0GMY.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6244 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166a9:$sqlite3step: 68 34 1C 7B E1
    • 0x167bc:$sqlite3step: 68 34 1C 7B E1
    • 0x166d8:$sqlite3text: 68 38 2A 90 C5
    • 0x167fd:$sqlite3text: 68 38 2A 90 C5
    • 0x166eb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16813:$sqlite3blob: 68 53 D8 7F 8C
    00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8972:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x14685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x148ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x938a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x133ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa102:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19777:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a81a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 21 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.0.DNPr7t0GMY.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.0.DNPr7t0GMY.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        4.0.DNPr7t0GMY.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158a9:$sqlite3step: 68 34 1C 7B E1
        • 0x159bc:$sqlite3step: 68 34 1C 7B E1
        • 0x158d8:$sqlite3text: 68 38 2A 90 C5
        • 0x159fd:$sqlite3text: 68 38 2A 90 C5
        • 0x158eb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a13:$sqlite3blob: 68 53 D8 7F 8C
        4.2.DNPr7t0GMY.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          4.2.DNPr7t0GMY.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x13885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x13987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x858a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x125ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9302:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18977:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 5876

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.adultpeace.com/p2io/"], "decoy": ["essentiallyourscandles.com", "cleanxcare.com", "bigplatesmallwallet.com", "iotcloud.technology", "dmgt4m2g8y2uh.net", "malcorinmobiliaria.com", "thriveglucose.com", "fuhaitongxin.com", "magetu.info", "pyithuhluttaw.net", "myfavbutik.com", "xzklrhy.com", "anewdistraction.com", "mercuryaid.net", "thesoulrevitalist.com", "swayam-moj.com", "liminaltechnology.com", "lucytime.com", "alfenas.info", "carmelodesign.com", "newmopeds.com", "cyrilgraze.com", "ruhexuangou.com", "trendbold.com", "centergolosinas.com", "leonardocarrillo.com", "advancedaccessapplications.com", "aideliveryrobot.com", "defenestration.world", "zgcbw.net", "shopihy.com", "3cheer.com", "untylservice.com", "totally-seo.com", "cmannouncements.com", "tpcgzwlpyggm.mobi", "hfjxhs.com", "balloon-artists.com", "vectoroutlines.com", "boogerstv.com", "procircleacademy.com", "tricqr.com", "hazard-protection.com", "buylocalclub.info", "m678.xyz", "hiddenwholesale.com", "ololmychartlogin.com", "redudiban.com", "brunoecatarina.com", "69-1hn7uc.net", "zmzcrossrt.xyz", "dreamcashbuyers.com", "yunlimall.com", "jonathan-mandt.com", "painhut.com", "pandemisorgugirisi-tr.com", "sonderbach.net", "kce0728com.net", "austinpavingcompany.com", "biztekno.com", "rodriggi.com", "micheldrake.com", "foxwaybrasil.com", "a3i7ufz4pt3.net"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: DNPr7t0GMY.exeVirustotal: Detection: 55%Perma Link
          Source: DNPr7t0GMY.exeMetadefender: Detection: 34%Perma Link
          Source: DNPr7t0GMY.exeReversingLabs: Detection: 60%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.271117141.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.478065429.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.271551704.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.477312798.0000000000780000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.271485121.0000000000CC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.0.DNPr7t0GMY.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.DNPr7t0GMY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.DNPr7t0GMY.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.DNPr7t0GMY.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: DNPr7t0GMY.exeJoe Sandbox ML: detected
          Source: 4.0.DNPr7t0GMY.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.DNPr7t0GMY.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: DNPr7t0GMY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: DNPr7t0GMY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: DNPr7t0GMY.exe, 00000004.00000002.272130410.0000000002D50000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: DNPr7t0GMY.exe, 00000004.00000002.271750109.000000000113F000.00000040.00000001.sdmp, msdt.exe, 0000000A.00000002.481988311.0000000004CB0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: DNPr7t0GMY.exe, 00000004.00000002.271750109.000000000113F000.00000040.00000001.sdmp, msdt.exe
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\jrFIryXeZK\src\obj\Debug\AppDomainTimerSafeHandle.pdb source: DNPr7t0GMY.exe
          Source: Binary string: C:\Users\Administrator\Desktop\Client\Temp\jrFIryXeZK\src\obj\Debug\AppDomainTimerSafeHandle.pdb,L source: DNPr7t0GMY.exe
          Source: Binary string: msdt.pdb source: DNPr7t0GMY.exe, 00000004.00000002.272130410.0000000002D50000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4x nop then pop edi4_2_00416282
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4x nop then pop ebx4_2_00406A94
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx10_2_00786A95
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi10_2_00796282

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 199.195.117.147:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 199.195.117.147:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49749 -> 199.195.117.147:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.adultpeace.com/p2io/
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN227RveoPSR01 HTTP/1.1Host: www.yunlimall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=403u/w6B7XptcAEzuvN4cykoFcXgffqxcXNiYWMFmnIxKaVZCbECctw1BX3Z+wGMxAxa HTTP/1.1Host: www.painhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?-Z0xlN=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YhWug+Cxzy&1bs8=cR-P8LD8 HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9bOaKrviR/d6 HTTP/1.1Host: www.thriveglucose.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?-Z0xlN=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&1bs8=cR-P8LD8 HTTP/1.1Host: www.essentiallyourscandles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9OtfZIW5A7WG HTTP/1.1Host: www.ololmychartlogin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=0YkKA47wwnQsSd2I7kPMKR9IRaKfA7HvmAjNs5nkCsbL4/Nj4Thso/t2FfIDpWXBn/Ha HTTP/1.1Host: www.swayam-moj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?-Z0xlN=OHUffbgtyxVuJk/N29fk0Sz2RAv4pH8VLsDTaDI27e1IsTBLt6kjVq3G5jK+CrAnEI1b&1bs8=cR-P8LD8 HTTP/1.1Host: www.brunoecatarina.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=WkKybY+EW+ZFcjRL6hKPcEEM/Z4gp4PnllRo5afgEdT4hrEaW59DTbMK1uLBueD84dbw HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 142.111.47.2 142.111.47.2
          Source: Joe Sandbox ViewIP Address: 23.82.57.32 23.82.57.32
          Source: Joe Sandbox ViewASN Name: EGIHOSTINGUS EGIHOSTINGUS
          Source: Joe Sandbox ViewASN Name: LEASEWEB-USA-SFO-12US LEASEWEB-USA-SFO-12US
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=FG8u3oFaRD5TAlzINClu9ACxgqrSnZ6gPOUiGbwcreYFYk5tnmBon+VN227RveoPSR01 HTTP/1.1Host: www.yunlimall.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=403u/w6B7XptcAEzuvN4cykoFcXgffqxcXNiYWMFmnIxKaVZCbECctw1BX3Z+wGMxAxa HTTP/1.1Host: www.painhut.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?-Z0xlN=pxlxKDN0Rvw8YUTnsB4Bv4ohCC0AYWvU81fxb+r9dLiNjjqdMXiyL1Lf04YhWug+Cxzy&1bs8=cR-P8LD8 HTTP/1.1Host: www.cleanxcare.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=bgEje2qoIMshrcRflwWQjpUULYzLZlDcA+elzyDX4pz+rZVwSlMQ2+HN9bOaKrviR/d6 HTTP/1.1Host: www.thriveglucose.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?-Z0xlN=tOwaJov1NmitprcRi3+vLu8KpTdHs2Vuljzq3uMGq4g841w++xy1kQ5hZRjCYd6IRkqR&1bs8=cR-P8LD8 HTTP/1.1Host: www.essentiallyourscandles.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=2q6D4S4IYN7aWdcEo+dmfNOnFlWkohYFDzpy6Q1cDMIvB7dycn+zvuYm9OtfZIW5A7WG HTTP/1.1Host: www.ololmychartlogin.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=0YkKA47wwnQsSd2I7kPMKR9IRaKfA7HvmAjNs5nkCsbL4/Nj4Thso/t2FfIDpWXBn/Ha HTTP/1.1Host: www.swayam-moj.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?-Z0xlN=OHUffbgtyxVuJk/N29fk0Sz2RAv4pH8VLsDTaDI27e1IsTBLt6kjVq3G5jK+CrAnEI1b&1bs8=cR-P8LD8 HTTP/1.1Host: www.brunoecatarina.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /p2io/?1bs8=cR-P8LD8&-Z0xlN=WkKybY+EW+ZFcjRL6hKPcEEM/Z4gp4PnllRo5afgEdT4hrEaW59DTbMK1uLBueD84dbw HTTP/1.1Host: www.ruhexuangou.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.facebook.com/casarpontocom" target="_blank" title="Facebook/casarpontocom"> equals www.facebook.com (Facebook)
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: <a href="https://www.youtube.com/casarpontocom" target="_blank" title="Youtube/casarpontocom"> equals www.youtube.com (Youtube)
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: <iframe src="//www.facebook.com/plugins/like.php?href=https%3A%2F%2Ffacebook.com%2FEventoCasar&width&layout=button_count&action=like&show_faces=false&share=false&height=21&appId=621352837957736" scrolling="no" frameborder="0" style="border:none; overflow:hidden; height:21px;" allowTransparency="true"></iframe> equals www.facebook.com (Facebook)
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: src="https://www.facebook.com/tr?id=912779795420526&ev=PageView&noscript=1" equals www.facebook.com (Facebook)
          Source: unknownDNS traffic detected: queries for: www.yunlimall.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 10 Jun 2021 17:13:43 GMTContent-Type: text/htmlContent-Length: 153Connection: closeServer: nginx/1.16.1Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
          Source: explorer.exe, 00000005.00000000.241683015.0000000008A05000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: http://instagram.com/casarpontocom
          Source: DNPr7t0GMY.exe, 00000002.00000002.220254281.00000000032E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: http://www.pinterest.com/casarpontocom
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.241726965.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://casarpontocom.zendesk.com/hc/pt-br
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/es5-shim/4.5.14/es5-shim.min.js
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://embed.typeform.com/embed.js
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/html5shiv/3.7.0/html5shiv.js
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://oss.maxcdn.com/libs/respond.js/1.3.0/respond.min.js
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://plus.google.com/
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/casamentos/casamentos-reais/
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/casamentos/decoracao-de-casamento/
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/cha-de-panela/
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/lua-de-mel-2/
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/noivas/dicas-para-noivas/
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/noivas/vestidos-de-noiva/
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.casar.com/assunto/organizacao/
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/gtm.js?id=
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.googletagmanager.com/ns.html?id=GTM-N7Z9MZC
          Source: msdt.exe, 0000000A.00000002.483640962.0000000005362000.00000004.00000001.sdmpString found in binary or memory: https://www.youtube.com/casarpontocom

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.271117141.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.478065429.0000000000C20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.271551704.0000000000CF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.477312798.0000000000780000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.271485121.0000000000CC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.0.DNPr7t0GMY.exe.400000.1.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.DNPr7t0GMY.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.0.DNPr7t0GMY.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.DNPr7t0GMY.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.271117141.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.271117141.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.478065429.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.478065429.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.271551704.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.271551704.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.477312798.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.477312798.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.271485121.0000000000CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.271485121.0000000000CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.DNPr7t0GMY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.DNPr7t0GMY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.DNPr7t0GMY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.DNPr7t0GMY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.0.DNPr7t0GMY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.0.DNPr7t0GMY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.DNPr7t0GMY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.DNPr7t0GMY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: DNPr7t0GMY.exe, ISectionEntry.csLong String: Length: 326320
          Source: 2.0.DNPr7t0GMY.exe.f10000.0.unpack, ISectionEntry.csLong String: Length: 326320
          Source: 2.2.DNPr7t0GMY.exe.f10000.0.unpack, ISectionEntry.csLong String: Length: 326320
          Source: 4.0.DNPr7t0GMY.exe.4f0000.2.unpack, ISectionEntry.csLong String: Length: 326320
          Source: 4.0.DNPr7t0GMY.exe.4f0000.0.unpack, ISectionEntry.csLong String: Length: 326320
          Source: 4.2.DNPr7t0GMY.exe.4f0000.1.unpack, ISectionEntry.csLong String: Length: 326320
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_004181B0 NtCreateFile,4_2_004181B0
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_00418260 NtReadFile,4_2_00418260
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_004182E0 NtClose,4_2_004182E0
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_00418390 NtAllocateVirtualMemory,4_2_00418390
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_004182AC NtReadFile,4_2_004182AC
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_0041838B NtAllocateVirtualMemory,4_2_0041838B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D195D0 NtClose,LdrInitializeThunk,10_2_04D195D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19540 NtReadFile,LdrInitializeThunk,10_2_04D19540
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D196D0 NtCreateKey,LdrInitializeThunk,10_2_04D196D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D196E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_04D196E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19650 NtQueryValueKey,LdrInitializeThunk,10_2_04D19650
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04D19660
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19FE0 NtCreateMutant,LdrInitializeThunk,10_2_04D19FE0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19780 NtMapViewOfSection,LdrInitializeThunk,10_2_04D19780
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19710 NtQueryInformationToken,LdrInitializeThunk,10_2_04D19710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19840 NtDelayExecution,LdrInitializeThunk,10_2_04D19840
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04D19860
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D199A0 NtCreateSection,LdrInitializeThunk,10_2_04D199A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04D19910
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19A50 NtCreateFile,LdrInitializeThunk,10_2_04D19A50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D195F0 NtQueryInformationFile,10_2_04D195F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19560 NtWriteFile,10_2_04D19560
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D1AD30 NtSetContextThread,10_2_04D1AD30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19520 NtWaitForSingleObject,10_2_04D19520
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19670 NtQueryInformationProcess,10_2_04D19670
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19610 NtEnumerateValueKey,10_2_04D19610
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D197A0 NtUnmapViewOfSection,10_2_04D197A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D1A770 NtOpenThread,10_2_04D1A770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19770 NtSetInformationFile,10_2_04D19770
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19760 NtOpenProcess,10_2_04D19760
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D1A710 NtOpenProcessToken,10_2_04D1A710
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19730 NtQueryVirtualMemory,10_2_04D19730
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D198F0 NtReadVirtualMemory,10_2_04D198F0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D198A0 NtWriteVirtualMemory,10_2_04D198A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D1B040 NtSuspendThread,10_2_04D1B040
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19820 NtEnumerateKey,10_2_04D19820
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D199D0 NtCreateProcessEx,10_2_04D199D0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19950 NtQueueApcThread,10_2_04D19950
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19A80 NtOpenDirectoryObject,10_2_04D19A80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19A10 NtQuerySection,10_2_04D19A10
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19A00 NtProtectVirtualMemory,10_2_04D19A00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19A20 NtResumeThread,10_2_04D19A20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D1A3B0 NtGetContextThread,10_2_04D1A3B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D19B00 NtSetValueKey,10_2_04D19B00
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_007981B0 NtCreateFile,10_2_007981B0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00798260 NtReadFile,10_2_00798260
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_007982E0 NtClose,10_2_007982E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00798390 NtAllocateVirtualMemory,10_2_00798390
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_007982AC NtReadFile,10_2_007982AC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0079838B NtAllocateVirtualMemory,10_2_0079838B
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 2_2_0313C2B02_2_0313C2B0
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 2_2_031399A02_2_031399A0
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_0041B8B14_2_0041B8B1
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_0041B9634_2_0041B963
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_00408C4B4_2_00408C4B
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_00408C504_2_00408C50
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_0041B4934_2_0041B493
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_0041B4964_2_0041B496
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_0041C5394_2_0041C539
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_00402D894_2_00402D89
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_0041CE854_2_0041CE85
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_0041BF124_2_0041BF12
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_0041C7954_2_0041C795
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D9D46610_2_04D9D466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04CE841F10_2_04CE841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04DA25DD10_2_04DA25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04CED5E010_2_04CED5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D0258110_2_04D02581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04DA1D5510_2_04DA1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04DA2D0710_2_04DA2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04CD0D2010_2_04CD0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04DA2EF710_2_04DA2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D9D61610_2_04D9D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04CF6E3010_2_04CF6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04DA1FF110_2_04DA1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04DA28EC10_2_04DA28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04CEB09010_2_04CEB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D020A010_2_04D020A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04DA20A810_2_04DA20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D9100210_2_04D91002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04CDF90010_2_04CDF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04CF412010_2_04CF4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04DA22AE10_2_04DA22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D9DBD210_2_04D9DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04D0EBB010_2_04D0EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_04DA2B2810_2_04DA2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0079B8B110_2_0079B8B1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0079B95410_2_0079B954
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00788C5010_2_00788C50
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00788C4B10_2_00788C4B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0079B49310_2_0079B493
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0079B49610_2_0079B496
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0079C53910_2_0079C539
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00782D9010_2_00782D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00782D8910_2_00782D89
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0079CE8510_2_0079CE85
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0079BF1210_2_0079BF12
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_00782FB010_2_00782FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 10_2_0079C79510_2_0079C795
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04CDB150 appears 35 times
          Source: DNPr7t0GMY.exe, 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKygo.dll* vs DNPr7t0GMY.exe
          Source: DNPr7t0GMY.exe, 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameDSASignature.dll@ vs DNPr7t0GMY.exe
          Source: DNPr7t0GMY.exe, 00000002.00000000.207658511.0000000001056000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAppDomainTimerSafeHandle.exeB vs DNPr7t0GMY.exe
          Source: DNPr7t0GMY.exe, 00000004.00000002.271750109.000000000113F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DNPr7t0GMY.exe
          Source: DNPr7t0GMY.exe, 00000004.00000002.271279344.0000000000636000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAppDomainTimerSafeHandle.exeB vs DNPr7t0GMY.exe
          Source: DNPr7t0GMY.exe, 00000004.00000002.272130410.0000000002D50000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs DNPr7t0GMY.exe
          Source: DNPr7t0GMY.exeBinary or memory string: OriginalFilenameAppDomainTimerSafeHandle.exeB vs DNPr7t0GMY.exe
          Source: DNPr7t0GMY.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.478198621.0000000000C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.216484865.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.220966733.00000000042E9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.271117141.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.271117141.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.478065429.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.478065429.0000000000C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.271551704.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.271551704.0000000000CF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.477312798.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.477312798.0000000000780000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.271485121.0000000000CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.271485121.0000000000CC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.DNPr7t0GMY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.DNPr7t0GMY.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.DNPr7t0GMY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.DNPr7t0GMY.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.0.DNPr7t0GMY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.0.DNPr7t0GMY.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.DNPr7t0GMY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.DNPr7t0GMY.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@13/10
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DNPr7t0GMY.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_01
          Source: DNPr7t0GMY.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpBinary or memory string: Select * from Clientes WHERE id=@id;;
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpBinary or memory string: Select * from Aluguel Erro ao listar Banco sql-Aluguel.INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE id=@id;
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType WHERE modelo=@modelo;
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpBinary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpBinary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpBinary or memory string: INSERT INTO SecurityLogonType VALUES(@modelo, @fabricante, @ano, @cor);
          Source: DNPr7t0GMY.exe, 00000002.00000002.220290008.0000000003320000.00000004.00000001.sdmpBinary or memory string: Select * from SecurityLogonType*Erro ao listar Banco sql-SecurityLogonType,Select * from SecurityLogonType WHERE id=@id;Select * from SecurityLogonType WHERE (modelo LIKE @modelo)
          Source: DNPr7t0GMY.exeVirustotal: Detection: 55%
          Source: DNPr7t0GMY.exeMetadefender: Detection: 34%
          Source: DNPr7t0GMY.exeReversingLabs: Detection: 60%
          Source: unknownProcess created: C:\Users\user\Desktop\DNPr7t0GMY.exe 'C:\Users\user\Desktop\DNPr7t0GMY.exe'
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeProcess created: C:\Users\user\Desktop\DNPr7t0GMY.exe C:\Users\user\Desktop\DNPr7t0GMY.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DNPr7t0GMY.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeProcess created: C:\Users\user\Desktop\DNPr7t0GMY.exe C:\Users\user\Desktop\DNPr7t0GMY.exeJump to behavior
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\DNPr7t0GMY.exe'Jump to behavior
          Source: C:\Users\user\Desktop\DNPr7t0GMY.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: DNPr7t0GMY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: DNPr7t0GMY.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
          Source: DNPr7t0GMY.exeStatic file information: File size 1325568 > 1048576
          Source: DNPr7t0GMY.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x142e00
          Source: DNPr7t0GMY.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: DNPr7t0GMY.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG