Loading ...

Play interactive tourEdit tour

Analysis Report 5t2CmTUhKc.exe

Overview

General Information

Sample Name:5t2CmTUhKc.exe
Analysis ID:433074
MD5:116e736ba00fca4b8499c4df00796454
SHA1:a8d3d62db4bd49e24c2bda3d0d81c3be25a81dae
SHA256:096ca35528ef4f702e93f5f17d7954f26fb48acd4526794ce1ee99d27cf1a4c3
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 5t2CmTUhKc.exe (PID: 6368 cmdline: 'C:\Users\user\Desktop\5t2CmTUhKc.exe' MD5: 116E736BA00FCA4B8499C4DF00796454)
    • 5t2CmTUhKc.exe (PID: 6432 cmdline: 'C:\Users\user\Desktop\5t2CmTUhKc.exe' MD5: 116E736BA00FCA4B8499C4DF00796454)
      • explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
      • help.exe (PID: 7136 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
        • cmd.exe (PID: 5696 cmdline: /c del 'C:\Users\user\Desktop\5t2CmTUhKc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x166c9:$sqlite3step: 68 34 1C 7B E1
    • 0x167dc:$sqlite3step: 68 34 1C 7B E1
    • 0x166f8:$sqlite3text: 68 38 2A 90 C5
    • 0x1681d:$sqlite3text: 68 38 2A 90 C5
    • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
    0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      0.2.5t2CmTUhKc.exe.2290000.3.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        0.2.5t2CmTUhKc.exe.2290000.3.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        0.2.5t2CmTUhKc.exe.2290000.3.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x158c9:$sqlite3step: 68 34 1C 7B E1
        • 0x159dc:$sqlite3step: 68 34 1C 7B E1
        • 0x158f8:$sqlite3text: 68 38 2A 90 C5
        • 0x15a1d:$sqlite3text: 68 38 2A 90 C5
        • 0x1590b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x15a33:$sqlite3blob: 68 53 D8 7F 8C
        2.2.5t2CmTUhKc.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.5t2CmTUhKc.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: http://www.thechandeck.com/bp3i/?o6tTHHhh=p3NsgK4BERuThhH+teqwS1C0txfpjFxawwSOzHNPnDrrCpY7gJP96rzPXZQ9m0/nBd8sZePfaw==&3fuD_=S2MtYLGX0vFdAvira URL Cloud: Label: malware
          Source: http://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFdAvira URL Cloud: Label: phishing
          Source: https://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/VzAvira URL Cloud: Label: phishing
          Found malware configurationShow sources
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.oceancollaborative.com/bp3i/"], "decoy": ["bancambios.network", "centroufologicosiciliano.info", "personalloansonline.xyz", "xn---yado-8e4dze0c.site", "americanscientific.net", "5australiacl.com", "sportsiri.com", "harchain.com", "oakandivywedding.com", "getbattlevizion.com", "laurenamason.com", "middreampostal.com", "realityawarenetworks.com", "purpleqube.com", "reufhroir.com", "dr-farshidtajik.com", "spinecompanion.com", "grpsexportsandimports.com", "nodeaths.com", "indylead.com", "payplrif617592.info", "counteraction.fund", "t4mall.com", "lnbes.com", "5xlsteve.com", "kocaelimanliftkiralama.site", "jacksonmesser.com", "nicehips.xyz", "accelerator.sydney", "dembyanndson.com", "tori2020.com", "ilium-partners.com", "amazingfinds4u.com", "therebelpartyband.com", "mutanterestaurante.com", "underce.com", "foldarusa.com", "canyoufindme.info", "fewo-zweifall.com", "fredrika-stahl.com", "bankalmatajer.com", "themindsetbreakthrough.com", "kesat-ya10.com", "9wsc.com", "jimmymasks.com", "bluebeltpanobuy.com", "my-ela.com", "motivactivewear.com", "myrivercityhomeimprovements.com", "xn--2o2b1z87x8sb.com", "pholbhf.icu", "8ballsportsbook.com", "doodstore.net", "shenghui118.com", "glavstore.com", "mydystopianlife.com", "woodlandsceinics.com", "trickshow.club", "vitali-tea.online", "thechandeck.com", "blinbins.com", "mcgcompetition.com", "xrglm.com", "mikefling.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 5t2CmTUhKc.exeVirustotal: Detection: 28%Perma Link
          Source: 5t2CmTUhKc.exeReversingLabs: Detection: 28%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 5t2CmTUhKc.exeJoe Sandbox ML: detected
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 11.2.help.exe.4ed3f8.0.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 11.2.help.exe.35c7960.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 5t2CmTUhKc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.369588709.000000000DC20000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 5t2CmTUhKc.exe, 00000000.00000003.333908194.00000000099B0000.00000004.00000001.sdmp, 5t2CmTUhKc.exe, 00000002.00000002.416446204.0000000000AB0000.00000040.00000001.sdmp, help.exe, 0000000B.00000002.598457171.0000000000C2F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 5t2CmTUhKc.exe, help.exe
          Source: Binary string: help.pdbGCTL source: 5t2CmTUhKc.exe, 00000002.00000002.416428242.0000000000AA0000.00000040.00000001.sdmp
          Source: Binary string: help.pdb source: 5t2CmTUhKc.exe, 00000002.00000002.416428242.0000000000AA0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.369588709.000000000DC20000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 4x nop then pop esi2_2_00415851
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 4x nop then pop ebx2_2_00406A98
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 4x nop then pop esi2_1_00415851
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 4x nop then pop ebx2_1_00406A98
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop esi11_2_00415851
          Source: C:\Windows\SysWOW64\help.exeCode function: 4x nop then pop ebx11_2_00406A99

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 185.224.138.83:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 185.224.138.83:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.6:49748 -> 185.224.138.83:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.oceancollaborative.com/bp3i/
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=p3NsgK4BERuThhH+teqwS1C0txfpjFxawwSOzHNPnDrrCpY7gJP96rzPXZQ9m0/nBd8sZePfaw==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.thechandeck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=So2Tvg87hIziEtO/Cru7EIQwZdKNOPQNXuBCwKB1xQ7qfTi1ynPiyI53Zc3PyJmgTVsVUbeTjw== HTTP/1.1Host: www.bancambios.networkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.purpleqube.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=IptNrmuXUVaV/Z9910/N9dyZxtPI5jyScGKXmfxiWqbBXO2QZbfIAu6+lQXyF1DTVkAc6YCxuQ== HTTP/1.1Host: www.middreampostal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=G/6vsm0KxG9qmRdgnTa4hWK9fX8ri3vqlPmeKNZjc+yTORxazFkMTyGVd6qzkwgGx7fuosCohA==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.xn---yado-8e4dze0c.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd785YA8v1+XbYT2uw== HTTP/1.1Host: www.oceancollaborative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: CYBERCONUS CYBERCONUS
          Source: Joe Sandbox ViewASN Name: AS-HOSTINGERLT AS-HOSTINGERLT
          Source: Joe Sandbox ViewASN Name: SOFTLAYERUS SOFTLAYERUS
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=p3NsgK4BERuThhH+teqwS1C0txfpjFxawwSOzHNPnDrrCpY7gJP96rzPXZQ9m0/nBd8sZePfaw==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.thechandeck.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=So2Tvg87hIziEtO/Cru7EIQwZdKNOPQNXuBCwKB1xQ7qfTi1ynPiyI53Zc3PyJmgTVsVUbeTjw== HTTP/1.1Host: www.bancambios.networkConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz+o9SZKu4zQeP+5HQLx8WUcJbeVktEW19wEdA8EtbmnhqlSQaIYanfFQnQ==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.purpleqube.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=IptNrmuXUVaV/Z9910/N9dyZxtPI5jyScGKXmfxiWqbBXO2QZbfIAu6+lQXyF1DTVkAc6YCxuQ== HTTP/1.1Host: www.middreampostal.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?o6tTHHhh=G/6vsm0KxG9qmRdgnTa4hWK9fX8ri3vqlPmeKNZjc+yTORxazFkMTyGVd6qzkwgGx7fuosCohA==&3fuD_=S2MtYLGX0vFd HTTP/1.1Host: www.xn---yado-8e4dze0c.siteConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /bp3i/?3fuD_=S2MtYLGX0vFd&o6tTHHhh=+tA82deiMnBv5x6tQvXabF4qHjy6FJLdLGXe/FevxPH8etKnEP6uMBOxOd785YA8v1+XbYT2uw== HTTP/1.1Host: www.oceancollaborative.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.bluebeltpanobuy.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closeContent-Type: text/htmlLast-Modified: Tue, 25 Jun 2019 07:07:25 GMTEtag: "999-5d11c82d-331806d17fbda5d0;;;"Accept-Ranges: bytesContent-Length: 2457Date: Fri, 11 Jun 2021 06:55:14 GMTServer: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 75 73 22 20 70 72 65 66 69 78 3d 22 63 6f 6e 74 65 6e 74 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 72 73 73 2f 31 2e 30 2f 6d 6f 64 75 6c 65 73 2f 63 6f 6e 74 65 6e 74 2f 20 64 63 3a 20 68 74 74 70 3a 2f 2f 70 75 72 6c 2e 6f 72 67 2f 64 63 2f 74 65 72 6d 73 2f 20 66 6f 61 66 3a 20 68 74 74 70 3a 2f 2f 78 6d 6c 6e 73 2e 63 6f 6d 2f 66 6f 61 66 2f 30 2e 31 2f 20 6f 67 3a 20 68 74 74 70 3a 2f 2f 6f 67 70 2e 6d 65 2f 6e 73 23 20 72 64 66 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 30 2f 30 31 2f 72 64 66 2d 73 63 68 65 6d 61 23 20 73 69 6f 63 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 6e 73 23 20 73 69 6f 63 74 3a 20 68 74 74 70 3a 2f 2f 72 64 66 73 2e 6f 72 67 2f 73 69 6f 63 2f 74 79 70 65 73 23 20 73 6b 6f 73 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 34 2f 30 32 2f 73 6b 6f 73 2f 63 6f 72 65 23 20 78 73 64 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 32 30 30 31 2f 58 4d 4c 53 63 68 65 6d 61 23 22 3e 0a 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 40 63 68 61 72 73 65 74 20 22 55 54 46 2d 38 22 3b 0a 20 20 20 20 20 20 20 20 5b 6e 67 5c 3a 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 64 61 74 61 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 5b 78 2d 6e 67 2d 63 6c 6f 61 6b 5d 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 78 2d 6e 67 2d 63 6c 6f 61 6b 2c 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 68 69 64 65 3a 6e 6f 74 28 2e 6e 67 2d 68 69 64 65 2d 61 6e 69 6d 61 74 65 29 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 6e 6f 6e 65 20 21 69 6d 70 6f 72 74 61 6e 74 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 6e 67 5c 3a 66 6f 72 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 69 6d 61 74 65 2d 73 68 69 6d 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 76 69 73 69 62 69 6c 69 74 79 3a 20 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 7d 0a 0a 20 20 20 20 20 20 20 20 2e 6e 67 2d 61 6e 63 68 6f 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 20 20 2
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: http://dfltweb1.onamae.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 5t2CmTUhKc.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 5t2CmTUhKc.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000000.344027143.000000000095C000.00000004.00000020.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000005.00000000.366847919.000000000B1A6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://afternic.com/forsale/oceancollaborative.com?utm_source=TDFS&utm_medium=sn_affiliate_click&ut
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://www.google-analytics.com/analytics.js
          Source: help.exe, 0000000B.00000002.599307381.0000000003742000.00000004.00000001.sdmpString found in binary or memory: https://www.purpleqube.com/bp3i/?o6tTHHhh=IkQuCFl7MCfBRj/Vz
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004181D0 NtCreateFile,2_2_004181D0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00418280 NtReadFile,2_2_00418280
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00418300 NtClose,2_2_00418300
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004183B0 NtAllocateVirtualMemory,2_2_004183B0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004181CE NtCreateFile,2_2_004181CE
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041827A NtReadFile,2_2_0041827A
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004183AB NtAllocateVirtualMemory,2_2_004183AB
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B198F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_00B198F0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19860 NtQuerySystemInformation,LdrInitializeThunk,2_2_00B19860
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19840 NtDelayExecution,LdrInitializeThunk,2_2_00B19840
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B199A0 NtCreateSection,LdrInitializeThunk,2_2_00B199A0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_00B19910
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A20 NtResumeThread,LdrInitializeThunk,2_2_00B19A20
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_00B19A00
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A50 NtCreateFile,LdrInitializeThunk,2_2_00B19A50
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B195D0 NtClose,LdrInitializeThunk,2_2_00B195D0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19540 NtReadFile,LdrInitializeThunk,2_2_00B19540
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B196E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_00B196E0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_00B19660
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B197A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_00B197A0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19780 NtMapViewOfSection,LdrInitializeThunk,2_2_00B19780
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19FE0 NtCreateMutant,LdrInitializeThunk,2_2_00B19FE0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19710 NtQueryInformationToken,LdrInitializeThunk,2_2_00B19710
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B198A0 NtWriteVirtualMemory,2_2_00B198A0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19820 NtEnumerateKey,2_2_00B19820
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1B040 NtSuspendThread,2_2_00B1B040
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B199D0 NtCreateProcessEx,2_2_00B199D0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19950 NtQueueApcThread,2_2_00B19950
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A80 NtOpenDirectoryObject,2_2_00B19A80
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19A10 NtQuerySection,2_2_00B19A10
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1A3B0 NtGetContextThread,2_2_00B1A3B0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19B00 NtSetValueKey,2_2_00B19B00
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B195F0 NtQueryInformationFile,2_2_00B195F0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1AD30 NtSetContextThread,2_2_00B1AD30
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19520 NtWaitForSingleObject,2_2_00B19520
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19560 NtWriteFile,2_2_00B19560
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B196D0 NtCreateKey,2_2_00B196D0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19610 NtEnumerateValueKey,2_2_00B19610
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19670 NtQueryInformationProcess,2_2_00B19670
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19650 NtQueryValueKey,2_2_00B19650
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19730 NtQueryVirtualMemory,2_2_00B19730
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1A710 NtOpenProcessToken,2_2_00B1A710
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19770 NtSetInformationFile,2_2_00B19770
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B1A770 NtOpenThread,2_2_00B1A770
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B19760 NtOpenProcess,2_2_00B19760
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_004181D0 NtCreateFile,2_1_004181D0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_00418280 NtReadFile,2_1_00418280
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_00418300 NtClose,2_1_00418300
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_004183B0 NtAllocateVirtualMemory,2_1_004183B0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_004181CE NtCreateFile,2_1_004181CE
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041827A NtReadFile,2_1_0041827A
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_004183AB NtAllocateVirtualMemory,2_1_004183AB
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79860 NtQuerySystemInformation,LdrInitializeThunk,11_2_00B79860
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79840 NtDelayExecution,LdrInitializeThunk,11_2_00B79840
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B799A0 NtCreateSection,LdrInitializeThunk,11_2_00B799A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B795D0 NtClose,LdrInitializeThunk,11_2_00B795D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79910 NtAdjustPrivilegesToken,LdrInitializeThunk,11_2_00B79910
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79540 NtReadFile,LdrInitializeThunk,11_2_00B79540
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B796E0 NtFreeVirtualMemory,LdrInitializeThunk,11_2_00B796E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B796D0 NtCreateKey,LdrInitializeThunk,11_2_00B796D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79660 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_00B79660
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A50 NtCreateFile,LdrInitializeThunk,11_2_00B79A50
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79650 NtQueryValueKey,LdrInitializeThunk,11_2_00B79650
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79780 NtMapViewOfSection,LdrInitializeThunk,11_2_00B79780
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79FE0 NtCreateMutant,LdrInitializeThunk,11_2_00B79FE0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79710 NtQueryInformationToken,LdrInitializeThunk,11_2_00B79710
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B798A0 NtWriteVirtualMemory,11_2_00B798A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B798F0 NtReadVirtualMemory,11_2_00B798F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79820 NtEnumerateKey,11_2_00B79820
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7B040 NtSuspendThread,11_2_00B7B040
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B795F0 NtQueryInformationFile,11_2_00B795F0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B799D0 NtCreateProcessEx,11_2_00B799D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7AD30 NtSetContextThread,11_2_00B7AD30
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79520 NtWaitForSingleObject,11_2_00B79520
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79560 NtWriteFile,11_2_00B79560
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79950 NtQueueApcThread,11_2_00B79950
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A80 NtOpenDirectoryObject,11_2_00B79A80
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A20 NtResumeThread,11_2_00B79A20
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79610 NtEnumerateValueKey,11_2_00B79610
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A10 NtQuerySection,11_2_00B79A10
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79A00 NtProtectVirtualMemory,11_2_00B79A00
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79670 NtQueryInformationProcess,11_2_00B79670
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7A3B0 NtGetContextThread,11_2_00B7A3B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B797A0 NtUnmapViewOfSection,11_2_00B797A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79730 NtQueryVirtualMemory,11_2_00B79730
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7A710 NtOpenProcessToken,11_2_00B7A710
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79B00 NtSetValueKey,11_2_00B79B00
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79770 NtSetInformationFile,11_2_00B79770
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B7A770 NtOpenThread,11_2_00B7A770
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B79760 NtOpenProcess,11_2_00B79760
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_004181D0 NtCreateFile,11_2_004181D0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00418280 NtReadFile,11_2_00418280
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00418300 NtClose,11_2_00418300
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_004183B0 NtAllocateVirtualMemory,11_2_004183B0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_004181CE NtCreateFile,11_2_004181CE
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0041827A NtReadFile,11_2_0041827A
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_004183AB NtAllocateVirtualMemory,11_2_004183AB
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_004048530_2_00404853
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_004061310_2_00406131
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_73611A980_2_73611A98
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041C0A92_2_0041C0A9
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041C1CD2_2_0041C1CD
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041B9922_2_0041B992
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041C2A72_2_0041C2A7
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041A3022_2_0041A302
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00408C6B2_2_00408C6B
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00408C702_2_00408C70
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041B4B32_2_0041B4B3
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00402D872_2_00402D87
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_0041BD9E2_2_0041BD9E
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B020A02_2_00B020A0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA20A82_2_00BA20A8
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AEB0902_2_00AEB090
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B910022_2_00B91002
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF41202_2_00AF4120
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00ADF9002_2_00ADF900
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B0EBB02_2_00B0EBB0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AE841F2_2_00AE841F
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00B025812_2_00B02581
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AED5E02_2_00AED5E0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AD0D202_2_00AD0D20
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA1D552_2_00BA1D55
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00BA2EF72_2_00BA2EF7
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_2_00AF6E302_2_00AF6E30
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_004010302_1_00401030
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041C0A92_1_0041C0A9
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041C1CD2_1_0041C1CD
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041B9922_1_0041B992
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041C2A72_1_0041C2A7
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041A3022_1_0041A302
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_00408C6B2_1_00408C6B
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_00408C702_1_00408C70
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 2_1_0041B4B32_1_0041B4B3
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B620A011_2_00B620A0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4B09011_2_00B4B090
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C020A811_2_00C020A8
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4841F11_2_00B4841F
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BF100211_2_00BF1002
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C025DD11_2_00C025DD
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6258111_2_00B62581
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B4D5E011_2_00B4D5E0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B30D2011_2_00B30D20
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C01D5511_2_00C01D55
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B5412011_2_00B54120
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B3F90011_2_00B3F900
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C02D0711_2_00C02D07
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C02EF711_2_00C02EF7
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C022AE11_2_00C022AE
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B56E3011_2_00B56E30
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00B6EBB011_2_00B6EBB0
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C01FF111_2_00C01FF1
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00BFDBD211_2_00BFDBD2
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00C02B2811_2_00C02B28
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_0041A30211_2_0041A302
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00408C6B11_2_00408C6B
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00408C7011_2_00408C70
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00402D8711_2_00402D87
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00402D9011_2_00402D90
          Source: C:\Windows\SysWOW64\help.exeCode function: 11_2_00402FB011_2_00402FB0
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: String function: 00419F80 appears 34 times
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: String function: 00ADB150 appears 35 times
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: String function: 0041A0B0 appears 38 times
          Source: C:\Windows\SysWOW64\help.exeCode function: String function: 00B3B150 appears 35 times
          Source: 5t2CmTUhKc.exe, 00000000.00000003.340429454.0000000009AFF000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5t2CmTUhKc.exe
          Source: 5t2CmTUhKc.exe, 00000002.00000002.417241372.0000000000D5F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 5t2CmTUhKc.exe
          Source: 5t2CmTUhKc.exe, 00000002.00000002.416438453.0000000000AA4000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs 5t2CmTUhKc.exe
          Source: 5t2CmTUhKc.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.416256071.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.597396860.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.416309209.00000000009F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.597782419.0000000000750000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.415990324.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000B.00000002.597893599.0000000000780000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.342749345.0000000002290000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000001.338823641.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.5t2CmTUhKc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.1.5t2CmTUhKc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.5t2CmTUhKc.exe.2290000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/4@11/6
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404356
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_01
          Source: C:\Users\user\Desktop\5t2CmTUhKc.exeFile created: C:\Users\user\AppData\Local\Temp\nse5FE8.tmpJump to behavior
          Source: 5t2CmTUhKc.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ