Loading ...

Play interactive tourEdit tour

Analysis Report 444890321.exe

Overview

General Information

Sample Name:444890321.exe
Analysis ID:433174
MD5:f161fe51fee0cd2f542ea759241c88cb
SHA1:cd75d9c5a293151ad50dfa1d05edb5871fc08ad5
SHA256:d2d2d97ab2f2c78a230c58a61296504419d0b545c6c6d76193b654dfe9937499
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 444890321.exe (PID: 5820 cmdline: 'C:\Users\user\Desktop\444890321.exe' MD5: F161FE51FEE0CD2F542EA759241C88CB)
    • 444890321.exe (PID: 6092 cmdline: 'C:\Users\user\Desktop\444890321.exe' MD5: F161FE51FEE0CD2F542EA759241C88CB)
      • backgroundTaskHost.exe (PID: 4160 cmdline: 'C:\Windows\system32\backgroundTaskHost.exe' -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: B7FC4A29431D4F795BBAB1FB182B759A)
        • cmd.exe (PID: 5568 cmdline: /c del 'C:\Users\user\Desktop\444890321.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 5880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autochk.exe (PID: 1532 cmdline: C:\Windows\SysWOW64\autochk.exe MD5: 34236DB574405291498BCD13D20C42EB)
        • WWAHost.exe (PID: 4160 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 16 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.444890321.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.2.444890321.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.2.444890321.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175f9:$sqlite3step: 68 34 1C 7B E1
        • 0x1770c:$sqlite3step: 68 34 1C 7B E1
        • 0x17628:$sqlite3text: 68 38 2A 90 C5
        • 0x1774d:$sqlite3text: 68 38 2A 90 C5
        • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
        1.1.444890321.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.1.444890321.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 13 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for URL or domainShow sources
          Source: www.111bjs.com/ccr/Avira URL Cloud: Label: malware
          Found malware configurationShow sources
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.111bjs.com/ccr/"], "decoy": ["abdullahlodhi.com", "jevya.com", "knoxvillerestaurant.com", "mekarauroko7389.com", "cricketspowder.net", "johannchirinos.com", "orangeorganical.com", "libero-tt.com", "lorenaegianluca.com", "wintab.net", "modernmillievintage.com", "zgdqcyw.com", "jeffabildgaardmd.com", "nurulfikrimakassar.com", "findyourchef.com", "innovationsservicegroup.com", "destek-taleplerimiz.com", "whfqqco.icu", "kosmetikmadeingermany.com", "dieteticos.net", "savarsineklik.com", "newfashiontrends.com", "e-mobilitysolutions.com", "spaced.ltd", "amjadalitrading.com", "thejstutor.com", "zzhqp.com", "exoticomistico.com", "oklahomasundayschool.com", "grwfrog.com", "elementsfitnessamdwellbeing.com", "auldontoyworld.com", "cumhuriyetcidemokratparti.kim", "thetruthinternational.com", "adimadimingilizce.com", "retreatwinds.com", "duoteshop.com", "jasonkokrak.com", "latindancextreme.com", "agavedeals.com", "motz.xyz", "kspecialaroma.com", "yuejinjc.com", "print12580.com", "ampsports.tennis", "affordablebathroomsarizona.com", "casnop.com", "driftwestcoastmarket.com", "bjsjygg.com", "gwpjamshedpur.com", "reserveacalifornia.com", "caobv.com", "culturaenmistacones.com", "back-upstore.com", "jjsmiths.com", "iamxc.com", "siobhankrittiya.com", "digitalakanksha.com", "koatku.com", "shamushalkowich.com", "merplerps.com", "fishexpertise.com", "sweetheartmart.com", "nqs.xyz"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 444890321.exeMetadefender: Detection: 17%Perma Link
          Source: 444890321.exeReversingLabs: Detection: 67%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: 444890321.exeJoe Sandbox ML: detected
          Source: 1.2.444890321.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 10.2.WWAHost.exe.431f834.5.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 10.2.WWAHost.exe.34498d0.2.unpackAvira: Label: TR/Patched.Ren.Gen
          Source: 0.2.444890321.exe.23b0000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.1.444890321.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 444890321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: Binary string: WWAHost.pdb source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: MusNotifyIcon.pdb source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp
          Source: Binary string: WWAHost.pdbUGP source: 444890321.exe, 00000001.00000002.265580843.00000000026B0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: 444890321.exe, 00000000.00000003.207642896.00000000099C0000.00000004.00000001.sdmp, 444890321.exe, 00000001.00000002.265126021.0000000000A8F000.00000040.00000001.sdmp, WWAHost.exe, 0000000A.00000002.470470953.0000000003F0F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 444890321.exe, WWAHost.exe
          Source: Binary string: MusNotifyIcon.pdbGCTL source: explorer.exe, 00000004.00000000.238969976.000000000F6D2000.00000004.00000001.sdmp
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00405E61 FindFirstFileA,FindClose,0_2_00405E61
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_0040548B CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_0040548B
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_0040263E FindFirstFileA,0_2_0040263E
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\TileDataRepository.dllJump to behavior
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\Windows.StateRepository.dllJump to behavior
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\SYSTEM32\usermgrcli.dllJump to behavior
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\Windows.StateRepositoryPS.dllJump to behavior
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\system32\StateRepository.Core.dllJump to behavior
          Source: C:\Windows\System32\backgroundTaskHost.exeFile opened: C:\Windows\System32\usermgrproxy.dllJump to behavior
          Source: C:\Users\user\Desktop\444890321.exeCode function: 4x nop then pop edi1_2_00417D7A
          Source: C:\Users\user\Desktop\444890321.exeCode function: 4x nop then pop edi1_2_00417D24
          Source: C:\Users\user\Desktop\444890321.exeCode function: 4x nop then pop edi1_1_00417D7A
          Source: C:\Users\user\Desktop\444890321.exeCode function: 4x nop then pop edi1_1_00417D24
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi10_2_03247D24
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 4x nop then pop edi10_2_03247D7A

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.169.40.107:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49737 -> 35.169.40.107:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.111bjs.com/ccr/
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zp HTTP/1.1Host: www.mekarauroko7389.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp HTTP/1.1Host: www.oklahomasundayschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zp HTTP/1.1Host: www.shamushalkowich.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
          Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
          Source: Joe Sandbox ViewASN Name: INTERQGMOInternetIncJP INTERQGMOInternetIncJP
          Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=DYL3Mol3r87Z8qId+4Ycjijbq71Py48wOU/SaqdUDZ5D3FcnOOzajI1IKd683KRXh37z&v0=JDK8Zp HTTP/1.1Host: www.mekarauroko7389.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=AxjKtjbRfNJtNPnejOfQjb3R2KRHRMY2w4U1+yq2aSZlRtrxzdj5Yr2imIB9O7nqKvHd&v0=JDK8Zp HTTP/1.1Host: www.oklahomasundayschool.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRevKVZrdd8Pf&v0=JDK8Zp HTTP/1.1Host: www.shamushalkowich.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.mekarauroko7389.com
          Source: explorer.exe, 00000004.00000000.234301981.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 444890321.exeString found in binary or memory: http://nsis.sf.net/NSIS_Error
          Source: 444890321.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.234507726.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: WWAHost.exe, 0000000A.00000002.472331929.000000000480F000.00000004.00000001.sdmpString found in binary or memory: https://www.shamushalkowich.com/ccr/?FJB=UiEpDr7iywR9iaGhQyAzq1r0qRPgWcdm1KzonEEBzxfYIUCNIf2vy6uHRev
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00405042 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405042

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419D50 NtCreateFile,1_2_00419D50
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419E00 NtReadFile,1_2_00419E00
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419E80 NtClose,1_2_00419E80
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419F30 NtAllocateVirtualMemory,1_2_00419F30
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419DFB NtReadFile,1_2_00419DFB
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00419F2B NtAllocateVirtualMemory,1_2_00419F2B
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D98F0 NtReadVirtualMemory,LdrInitializeThunk,1_2_009D98F0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9840 NtDelayExecution,LdrInitializeThunk,1_2_009D9840
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9860 NtQuerySystemInformation,LdrInitializeThunk,1_2_009D9860
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D99A0 NtCreateSection,LdrInitializeThunk,1_2_009D99A0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9910 NtAdjustPrivilegesToken,LdrInitializeThunk,1_2_009D9910
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A00 NtProtectVirtualMemory,LdrInitializeThunk,1_2_009D9A00
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A20 NtResumeThread,LdrInitializeThunk,1_2_009D9A20
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A50 NtCreateFile,LdrInitializeThunk,1_2_009D9A50
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D95D0 NtClose,LdrInitializeThunk,1_2_009D95D0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9540 NtReadFile,LdrInitializeThunk,1_2_009D9540
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D96E0 NtFreeVirtualMemory,LdrInitializeThunk,1_2_009D96E0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9660 NtAllocateVirtualMemory,LdrInitializeThunk,1_2_009D9660
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9780 NtMapViewOfSection,LdrInitializeThunk,1_2_009D9780
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D97A0 NtUnmapViewOfSection,LdrInitializeThunk,1_2_009D97A0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9710 NtQueryInformationToken,LdrInitializeThunk,1_2_009D9710
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D98A0 NtWriteVirtualMemory,1_2_009D98A0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9820 NtEnumerateKey,1_2_009D9820
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DB040 NtSuspendThread,1_2_009DB040
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D99D0 NtCreateProcessEx,1_2_009D99D0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9950 NtQueueApcThread,1_2_009D9950
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A80 NtOpenDirectoryObject,1_2_009D9A80
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9A10 NtQuerySection,1_2_009D9A10
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DA3B0 NtGetContextThread,1_2_009DA3B0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9B00 NtSetValueKey,1_2_009D9B00
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D95F0 NtQueryInformationFile,1_2_009D95F0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DAD30 NtSetContextThread,1_2_009DAD30
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9520 NtWaitForSingleObject,1_2_009D9520
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9560 NtWriteFile,1_2_009D9560
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D96D0 NtCreateKey,1_2_009D96D0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9610 NtEnumerateValueKey,1_2_009D9610
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9650 NtQueryValueKey,1_2_009D9650
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9670 NtQueryInformationProcess,1_2_009D9670
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9FE0 NtCreateMutant,1_2_009D9FE0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DA710 NtOpenProcessToken,1_2_009DA710
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9730 NtQueryVirtualMemory,1_2_009D9730
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9770 NtSetInformationFile,1_2_009D9770
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009DA770 NtOpenThread,1_2_009DA770
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009D9760 NtOpenProcess,1_2_009D9760
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419D50 NtCreateFile,1_1_00419D50
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419E00 NtReadFile,1_1_00419E00
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419E80 NtClose,1_1_00419E80
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419F30 NtAllocateVirtualMemory,1_1_00419F30
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419DFB NtReadFile,1_1_00419DFB
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00419F2B NtAllocateVirtualMemory,1_1_00419F2B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A50 NtCreateFile,LdrInitializeThunk,10_2_03E59A50
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E599A0 NtCreateSection,LdrInitializeThunk,10_2_03E599A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_03E59910
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59860 NtQuerySystemInformation,LdrInitializeThunk,10_2_03E59860
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59840 NtDelayExecution,LdrInitializeThunk,10_2_03E59840
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59FE0 NtCreateMutant,LdrInitializeThunk,10_2_03E59FE0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59780 NtMapViewOfSection,LdrInitializeThunk,10_2_03E59780
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59710 NtQueryInformationToken,LdrInitializeThunk,10_2_03E59710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E596E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_03E596E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E596D0 NtCreateKey,LdrInitializeThunk,10_2_03E596D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_03E59660
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59650 NtQueryValueKey,LdrInitializeThunk,10_2_03E59650
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E595D0 NtClose,LdrInitializeThunk,10_2_03E595D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59540 NtReadFile,LdrInitializeThunk,10_2_03E59540
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5A3B0 NtGetContextThread,10_2_03E5A3B0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59B00 NtSetValueKey,10_2_03E59B00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A80 NtOpenDirectoryObject,10_2_03E59A80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A20 NtResumeThread,10_2_03E59A20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A00 NtProtectVirtualMemory,10_2_03E59A00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59A10 NtQuerySection,10_2_03E59A10
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E599D0 NtCreateProcessEx,10_2_03E599D0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59950 NtQueueApcThread,10_2_03E59950
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E598F0 NtReadVirtualMemory,10_2_03E598F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E598A0 NtWriteVirtualMemory,10_2_03E598A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5B040 NtSuspendThread,10_2_03E5B040
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59820 NtEnumerateKey,10_2_03E59820
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E597A0 NtUnmapViewOfSection,10_2_03E597A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59760 NtOpenProcess,10_2_03E59760
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5A770 NtOpenThread,10_2_03E5A770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59770 NtSetInformationFile,10_2_03E59770
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59730 NtQueryVirtualMemory,10_2_03E59730
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5A710 NtOpenProcessToken,10_2_03E5A710
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59670 NtQueryInformationProcess,10_2_03E59670
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59610 NtEnumerateValueKey,10_2_03E59610
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E595F0 NtQueryInformationFile,10_2_03E595F0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59560 NtWriteFile,10_2_03E59560
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E59520 NtWaitForSingleObject,10_2_03E59520
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E5AD30 NtSetContextThread,10_2_03E5AD30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249F30 NtAllocateVirtualMemory,10_2_03249F30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249E00 NtReadFile,10_2_03249E00
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249E80 NtClose,10_2_03249E80
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249D50 NtCreateFile,10_2_03249D50
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249F2B NtAllocateVirtualMemory,10_2_03249F2B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03249DFB NtReadFile,10_2_03249DFB
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_0040323C EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_0040323C
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_004048530_2_00404853
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_004061310_2_00406131
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_740D1A980_2_740D1A98
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0041E0711_2_0041E071
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_004010301_2_00401030
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0041E5FC1_2_0041E5FC
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00402D871_2_00402D87
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00402D901_2_00402D90
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00409E301_2_00409E30
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00402FB01_2_00402FB0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AB0901_2_009AB090
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A620A81_2_00A620A8
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C20A01_2_009C20A0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A628EC1_2_00A628EC
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A6E8241_2_00A6E824
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A510021_2_00A51002
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA8301_2_009BA830
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B99BF1_2_009B99BF
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_0099F9001_2_0099F900
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B41201_2_009B4120
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A622AE1_2_00A622AE
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A54AEF1_2_00A54AEF
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A4FA2B1_2_00A4FA2B
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CEBB01_2_009CEBB0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009CABD81_2_009CABD8
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A423E31_2_00A423E3
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5DBD21_2_00A5DBD2
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A503DA1_2_00A503DA
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A62B281_2_00A62B28
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BA3091_2_009BA309
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BAB401_2_009BAB40
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A544961_2_00A54496
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009A841F1_2_009A841F
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5D4661_2_00A5D466
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009BB4771_2_009BB477
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009C25811_2_009C2581
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A52D821_2_00A52D82
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009AD5E01_2_009AD5E0
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A625DD1_2_00A625DD
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A62D071_2_00A62D07
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00990D201_2_00990D20
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A61D551_2_00A61D55
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A62EF71_2_00A62EF7
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_009B6E301_2_009B6E30
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A5D6161_2_00A5D616
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A61FF11_2_00A61FF1
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_2_00A6DFCE1_2_00A6DFCE
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_0041E0711_1_0041E071
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_004010301_1_00401030
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_0041E5FC1_1_0041E5FC
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00402D871_1_00402D87
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00402D901_1_00402D90
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00409E301_1_00409E30
          Source: C:\Users\user\Desktop\444890321.exeCode function: 1_1_00402FB01_1_00402FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED03DA10_2_03ED03DA
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EDDBD210_2_03EDDBD2
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4EBB010_2_03E4EBB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3AB4010_2_03E3AB40
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE2B2810_2_03EE2B28
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE22AE10_2_03EE22AE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ECFA2B10_2_03ECFA2B
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3412010_2_03E34120
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E1F90010_2_03E1F900
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE28EC10_2_03EE28EC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E420A010_2_03E420A0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE20A810_2_03EE20A8
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E2B09010_2_03E2B090
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EEE82410_2_03EEE824
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E3A83010_2_03E3A830
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03ED100210_2_03ED1002
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE1FF110_2_03EE1FF1
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EEDFCE10_2_03EEDFCE
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE2EF710_2_03EE2EF7
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E36E3010_2_03E36E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EDD61610_2_03EDD616
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E2D5E010_2_03E2D5E0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE25DD10_2_03EE25DD
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E4258110_2_03E42581
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE1D5510_2_03EE1D55
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E10D2010_2_03E10D20
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EE2D0710_2_03EE2D07
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03EDD46610_2_03EDD466
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03E2841F10_2_03E2841F
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0324E07110_2_0324E071
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03232FB010_2_03232FB0
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03239E3010_2_03239E30
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03232D8710_2_03232D87
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_03232D9010_2_03232D90
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: 10_2_0324E5FC10_2_0324E5FC
          Source: C:\Windows\SysWOW64\WWAHost.exeCode function: String function: 03E1B150 appears 54 times
          Source: C:\Users\user\Desktop\444890321.exeCode function: String function: 0041BBD0 appears 38 times
          Source: C:\Users\user\Desktop\444890321.exeCode function: String function: 0099B150 appears 136 times
          Source: 444890321.exe, 00000000.00000003.204714457.0000000009C6F000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 444890321.exe
          Source: 444890321.exe, 00000001.00000002.265683363.0000000002766000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameWWAHost.exej% vs 444890321.exe
          Source: 444890321.exe, 00000001.00000002.265126021.0000000000A8F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 444890321.exe
          Source: 444890321.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
          Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.469354418.0000000003230000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.469573430.00000000032E0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000001.207643919.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.264934949.0000000000910000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.210395698.00000000023B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.264873769.00000000008B0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.264645611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.444890321.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.444890321.exe.23b0000.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0.2.444890321.exe.23b0000.3.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.1.444890321.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.evad.winEXE@9/4@3/3
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00404356 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,0_2_00404356
          Source: C:\Users\user\Desktop\444890321.exeCode function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,0_2_00402020
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_01
          Source: C:\Users\user\Desktop\444890321.exeFile created: C:\Users\user\AppData\Local\Temp\nskAF62.tmpJump to behavior
          Source: 444890321.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\444890321.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\444890321.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump t