Loading ...

Play interactive tourEdit tour

Analysis Report Order 275594 04-D4E5A.exe

Overview

General Information

Sample Name:Order 275594 04-D4E5A.exe
Analysis ID:433223
MD5:3f4cc7f69f0d3b70a20dfd2243bc16db
SHA1:b0e2841f5c7d754e4af796088b659c204edf5fd8
SHA256:6e556200dba57fdce36308bbd34c19398ecf627828627b380244aeede2f90176
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Suspect Svchost Activity
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Sigma detected: Suspicious Svchost Process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Order 275594 04-D4E5A.exe (PID: 2024 cmdline: 'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe' MD5: 3F4CC7F69F0D3B70A20DFD2243BC16DB)
    • schtasks.exe (PID: 6040 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EDclkRlYpO' /XML 'C:\Users\user\AppData\Local\Temp\tmp285B.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Order 275594 04-D4E5A.exe (PID: 3596 cmdline: {path} MD5: 3F4CC7F69F0D3B70A20DFD2243BC16DB)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 5392 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 1332 cmdline: /c del 'C:\Users\user\Desktop\Order 275594 04-D4E5A.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.couragepennies.com/dlwk/"], "decoy": ["universitypinesseniorliving.com", "mtcy0852.com", "abslevha.com", "breedersbatch.com", "longlivegenx.com", "yibaogy.com", "sex8e.com", "luxsot.com", "arizonafinevioins.com", "lalabusha.xyz", "everycases.net", "unhealthyisunweathly.com", "anchorphonemounts.com", "teachuswell.com", "theshadedco.com", "wallopchain.com", "balitourexplore.com", "resctub.com", "freshlyfadedapparel.com", "betamartgroceries.com", "jordanbaileyportfolio.com", "kellenkamm.com", "starwarsnyc.com", "banhsinhnhat.net", "keminadentalcare.com", "belocalsearch.com", "cihedu-formation.com", "merroir.net", "rjdsouza.com", "evolutionhvac.net", "larepublica0.com", "filmarabia.com", "14dzb.com", "realoneathletics.com", "easx.systems", "centerzasporocila.com", "divishasharma.com", "livinghistory.city", "itsoftwarekrzysztofradwan.com", "chinhhanghm46.site", "may252021.com", "a2zcreditrepair.com", "1comcall.com", "hourgroups.com", "tabletz-llc.com", "nliplace.com", "myproductives.com", "gogo90s.com", "therotaryphone.com", "rosaouladi.com", "myfragnance.com", "nhbeitai.com", "medermatologia.com", "7750118.com", "bandweven.com", "blue-wms.net", "dacyclinu.com", "creativehuesdesigns.com", "misteraircondition.com", "bryantbe.com", "bdgunshi.com", "51zheyang.com", "israelemirates.travel", "wildslaskan.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      17.2.Order 275594 04-D4E5A.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        17.2.Order 275594 04-D4E5A.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        17.2.Order 275594 04-D4E5A.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspect Svchost ActivityShow sources
          Source: Process startedAuthor: David Burkett: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5392
          Sigma detected: Suspicious Svchost ProcessShow sources
          Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5392
          Sigma detected: Windows Processes Suspicious Parent DirectoryShow sources
          Source: Process startedAuthor: vburov: Data: Command: C:\Windows\SysWOW64\svchost.exe, CommandLine: C:\Windows\SysWOW64\svchost.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: , ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3388, ProcessCommandLine: C:\Windows\SysWOW64\svchost.exe, ProcessId: 5392

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.couragepennies.com/dlwk/"], "decoy": ["universitypinesseniorliving.com", "mtcy0852.com", "abslevha.com", "breedersbatch.com", "longlivegenx.com", "yibaogy.com", "sex8e.com", "luxsot.com", "arizonafinevioins.com", "lalabusha.xyz", "everycases.net", "unhealthyisunweathly.com", "anchorphonemounts.com", "teachuswell.com", "theshadedco.com", "wallopchain.com", "balitourexplore.com", "resctub.com", "freshlyfadedapparel.com", "betamartgroceries.com", "jordanbaileyportfolio.com", "kellenkamm.com", "starwarsnyc.com", "banhsinhnhat.net", "keminadentalcare.com", "belocalsearch.com", "cihedu-formation.com", "merroir.net", "rjdsouza.com", "evolutionhvac.net", "larepublica0.com", "filmarabia.com", "14dzb.com", "realoneathletics.com", "easx.systems", "centerzasporocila.com", "divishasharma.com", "livinghistory.city", "itsoftwarekrzysztofradwan.com", "chinhhanghm46.site", "may252021.com", "a2zcreditrepair.com", "1comcall.com", "hourgroups.com", "tabletz-llc.com", "nliplace.com", "myproductives.com", "gogo90s.com", "therotaryphone.com", "rosaouladi.com", "myfragnance.com", "nhbeitai.com", "medermatologia.com", "7750118.com", "bandweven.com", "blue-wms.net", "dacyclinu.com", "creativehuesdesigns.com", "misteraircondition.com", "bryantbe.com", "bdgunshi.com", "51zheyang.com", "israelemirates.travel", "wildslaskan.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\EDclkRlYpO.exeMetadefender: Detection: 20%Perma Link
          Source: C:\Users\user\AppData\Roaming\EDclkRlYpO.exeReversingLabs: Detection: 50%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Order 275594 04-D4E5A.exeMetadefender: Detection: 20%Perma Link
          Source: Order 275594 04-D4E5A.exeReversingLabs: Detection: 50%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPE
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.Order 275594 04-D4E5A.exe.10000.0.unpackAvira: Label: TR/Crypt.XPACK.Gen2

          Compliance:

          barindex
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeUnpacked PE file: 0.2.Order 275594 04-D4E5A.exe.10000.0.unpack
          Source: Order 275594 04-D4E5A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: Order 275594 04-D4E5A.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000012.00000000.353720348.0000000006300000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Order 275594 04-D4E5A.exe, 00000011.00000002.363040639.0000000001A6F000.00000040.00000001.sdmp, svchost.exe, 00000017.00000003.362268250.0000000000D00000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Order 275594 04-D4E5A.exe, svchost.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000012.00000000.353720348.0000000006300000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 4x nop then pop ebx17_2_00407B02
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 4x nop then pop edi17_2_00417D6B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop ebx23_2_00357B02
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 4x nop then pop edi23_2_00367D6B

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 184.168.131.241:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49750 -> 184.168.131.241:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.couragepennies.com/dlwk/
          Source: global trafficHTTP traffic detected: GET /dlwk/?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3DR3Chi1RjI9I2gNlG9lXXXNlrydudUfV5dRmlhE HTTP/1.1Host: www.filmarabia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 184.168.131.241 184.168.131.241
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: GET /dlwk/?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3DR3Chi1RjI9I2gNlG9lXXXNlrydudUfV5dRmlhE HTTP/1.1Host: www.filmarabia.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.filmarabia.com
          Source: explorer.exe, 00000012.00000000.330665064.000000000F6C0000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304079572.0000000002483000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.308638429.0000000005770000.00000002.00000001.sdmp, explorer.exe, 00000012.00000000.327097499.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: svchost.exe, 00000017.00000002.475573917.0000000003B5F000.00000004.00000001.sdmpString found in binary or memory: https://dan.com/domain-seller/future-parallel?UR-=9rBHCraXjjKXgv1p&m48=Jq8U7OueiU8HflHyK8f2qmPQo6WO3

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.362753354.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.469734076.0000000000C80000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.304744303.0000000003496000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.469416367.0000000000C50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.Order 275594 04-D4E5A.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.0.Order 275594 04-D4E5A.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Initial sample is a PE file and has a suspicious nameShow sources
          Source: initial sampleStatic PE information: Filename: Order 275594 04-D4E5A.exe
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA01A4 NtQueryInformationProcess,0_2_00AA01A4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA017E NtQueryInformationProcess,0_2_00AA017E
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA3449 NtQueryInformationProcess,0_2_00AA3449
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419D60 NtCreateFile,17_2_00419D60
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419E10 NtReadFile,17_2_00419E10
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419E90 NtClose,17_2_00419E90
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419F40 NtAllocateVirtualMemory,17_2_00419F40
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419D5A NtCreateFile,17_2_00419D5A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419DB2 NtCreateFile,17_2_00419DB2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419E0A NtReadFile,17_2_00419E0A
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419E8B NtClose,17_2_00419E8B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00419F3C NtAllocateVirtualMemory,17_2_00419F3C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B99A0 NtCreateSection,LdrInitializeThunk,17_2_019B99A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,17_2_019B9910
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B98F0 NtReadVirtualMemory,LdrInitializeThunk,17_2_019B98F0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9840 NtDelayExecution,LdrInitializeThunk,17_2_019B9840
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9860 NtQuerySystemInformation,LdrInitializeThunk,17_2_019B9860
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A00 NtProtectVirtualMemory,LdrInitializeThunk,17_2_019B9A00
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A20 NtResumeThread,LdrInitializeThunk,17_2_019B9A20
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A50 NtCreateFile,LdrInitializeThunk,17_2_019B9A50
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B95D0 NtClose,LdrInitializeThunk,17_2_019B95D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9540 NtReadFile,LdrInitializeThunk,17_2_019B9540
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9780 NtMapViewOfSection,LdrInitializeThunk,17_2_019B9780
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B97A0 NtUnmapViewOfSection,LdrInitializeThunk,17_2_019B97A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9710 NtQueryInformationToken,LdrInitializeThunk,17_2_019B9710
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B96E0 NtFreeVirtualMemory,LdrInitializeThunk,17_2_019B96E0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9660 NtAllocateVirtualMemory,LdrInitializeThunk,17_2_019B9660
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B99D0 NtCreateProcessEx,17_2_019B99D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9950 NtQueueApcThread,17_2_019B9950
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B98A0 NtWriteVirtualMemory,17_2_019B98A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9820 NtEnumerateKey,17_2_019B9820
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BB040 NtSuspendThread,17_2_019BB040
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BA3B0 NtGetContextThread,17_2_019BA3B0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9B00 NtSetValueKey,17_2_019B9B00
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A80 NtOpenDirectoryObject,17_2_019B9A80
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9A10 NtQuerySection,17_2_019B9A10
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B95F0 NtQueryInformationFile,17_2_019B95F0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BAD30 NtSetContextThread,17_2_019BAD30
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9520 NtWaitForSingleObject,17_2_019B9520
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9560 NtWriteFile,17_2_019B9560
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9FE0 NtCreateMutant,17_2_019B9FE0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BA710 NtOpenProcessToken,17_2_019BA710
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9730 NtQueryVirtualMemory,17_2_019B9730
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019BA770 NtOpenThread,17_2_019BA770
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9770 NtSetInformationFile,17_2_019B9770
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9760 NtOpenProcess,17_2_019B9760
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B96D0 NtCreateKey,17_2_019B96D0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9610 NtEnumerateValueKey,17_2_019B9610
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9650 NtQueryValueKey,17_2_019B9650
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019B9670 NtQueryInformationProcess,17_2_019B9670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A50 NtCreateFile,LdrInitializeThunk,23_2_031A9A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,23_2_031A9910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A99A0 NtCreateSection,LdrInitializeThunk,23_2_031A99A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9840 NtDelayExecution,LdrInitializeThunk,23_2_031A9840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9860 NtQuerySystemInformation,LdrInitializeThunk,23_2_031A9860
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9710 NtQueryInformationToken,LdrInitializeThunk,23_2_031A9710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9780 NtMapViewOfSection,LdrInitializeThunk,23_2_031A9780
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9FE0 NtCreateMutant,LdrInitializeThunk,23_2_031A9FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9650 NtQueryValueKey,LdrInitializeThunk,23_2_031A9650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9660 NtAllocateVirtualMemory,LdrInitializeThunk,23_2_031A9660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A96D0 NtCreateKey,LdrInitializeThunk,23_2_031A96D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A96E0 NtFreeVirtualMemory,LdrInitializeThunk,23_2_031A96E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9540 NtReadFile,LdrInitializeThunk,23_2_031A9540
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A95D0 NtClose,LdrInitializeThunk,23_2_031A95D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9B00 NtSetValueKey,23_2_031A9B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AA3B0 NtGetContextThread,23_2_031AA3B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A10 NtQuerySection,23_2_031A9A10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A00 NtProtectVirtualMemory,23_2_031A9A00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A20 NtResumeThread,23_2_031A9A20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9A80 NtOpenDirectoryObject,23_2_031A9A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9950 NtQueueApcThread,23_2_031A9950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A99D0 NtCreateProcessEx,23_2_031A99D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9820 NtEnumerateKey,23_2_031A9820
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AB040 NtSuspendThread,23_2_031AB040
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A98A0 NtWriteVirtualMemory,23_2_031A98A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A98F0 NtReadVirtualMemory,23_2_031A98F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AA710 NtOpenProcessToken,23_2_031AA710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9730 NtQueryVirtualMemory,23_2_031A9730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AA770 NtOpenThread,23_2_031AA770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9770 NtSetInformationFile,23_2_031A9770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9760 NtOpenProcess,23_2_031A9760
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A97A0 NtUnmapViewOfSection,23_2_031A97A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9610 NtEnumerateValueKey,23_2_031A9610
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9670 NtQueryInformationProcess,23_2_031A9670
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031AAD30 NtSetContextThread,23_2_031AAD30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9520 NtWaitForSingleObject,23_2_031A9520
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A9560 NtWriteFile,23_2_031A9560
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031A95F0 NtQueryInformationFile,23_2_031A95F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369D60 NtCreateFile,23_2_00369D60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369E10 NtReadFile,23_2_00369E10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369E90 NtClose,23_2_00369E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369F40 NtAllocateVirtualMemory,23_2_00369F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369D5A NtCreateFile,23_2_00369D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369DB2 NtCreateFile,23_2_00369DB2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369E0A NtReadFile,23_2_00369E0A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369E8B NtClose,23_2_00369E8B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00369F3C NtAllocateVirtualMemory,23_2_00369F3C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA32180_2_00AA3218
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA37A20_2_00AA37A2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA2D780_2_00AA2D78
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA04800_2_00AA0480
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA04700_2_00AA0470
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_00AA37C40_2_00AA37C4
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044632120_2_04463212
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04460B800_2_04460B80
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04460E890_2_04460E89
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04460E980_2_04460E98
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044600400_2_04460040
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044608500_2_04460850
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044608600_2_04460860
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044600060_2_04460006
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_044633690_2_04463369
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04460B760_2_04460B76
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 0_2_04465BC50_2_04465BC5
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0040103017_2_00401030
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041D97C17_2_0041D97C
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041E1FC17_2_0041E1FC
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041D34617_2_0041D346
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00402D8717_2_00402D87
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00402D9017_2_00402D90
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00409E4017_2_00409E40
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00409E3B17_2_00409E3B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041D6A717_2_0041D6A7
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0041E7AF17_2_0041E7AF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_00402FB017_2_00402FB0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019999BF17_2_019999BF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0197F90017_2_0197F900
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199412017_2_01994120
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198B09017_2_0198B090
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A420A817_2_01A420A8
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A20A017_2_019A20A0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A428EC17_2_01A428EC
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A4E82417_2_01A4E824
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3100217_2_01A31002
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A83017_2_0199A830
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AEBB017_2_019AEBB0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A223E317_2_01A223E3
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019AABD817_2_019AABD8
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3DBD217_2_01A3DBD2
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A303DA17_2_01A303DA
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A42B2817_2_01A42B28
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199A30917_2_0199A309
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0199AB4017_2_0199AB40
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A422AE17_2_01A422AE
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A34AEF17_2_01A34AEF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A2FA2B17_2_01A2FA2B
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_019A258117_2_019A2581
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A32D8217_2_01A32D82
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198D5E017_2_0198D5E0
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A425DD17_2_01A425DD
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A42D0717_2_01A42D07
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01970D2017_2_01970D20
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A41D5517_2_01A41D55
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3449617_2_01A34496
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_0198841F17_2_0198841F
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3D46617_2_01A3D466
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A41FF117_2_01A41FF1
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A4DFCE17_2_01A4DFCE
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A42EF717_2_01A42EF7
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01996E3017_2_01996E30
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: 17_2_01A3D61617_2_01A3D616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03232B2823_2_03232B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A30923_2_0318A309
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318AB4023_2_0318AB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0320CB4F23_2_0320CB4F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319138B23_2_0319138B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319EBB023_2_0319EBB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319ABD823_2_0319ABD8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032123E323_2_032123E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322DBD223_2_0322DBD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032203DA23_2_032203DA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0321FA2B23_2_0321FA2B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032322AE23_2_032322AE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03224AEF23_2_03224AEF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0316F90023_2_0316F900
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318412023_2_03184120
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031899BF23_2_031899BF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0323E82423_2_0323E824
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322100223_2_03221002
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318A83023_2_0318A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0317B09023_2_0317B090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032320A823_2_032320A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_031920A023_2_031920A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032328EC23_2_032328EC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03231FF123_2_03231FF1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0323DFCE23_2_0323DFCE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03186E3023_2_03186E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322D61623_2_0322D616
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03232EF723_2_03232EF7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03232D0723_2_03232D07
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03160D2023_2_03160D20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03231D5523_2_03231D55
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0319258123_2_03192581
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_03222D8223_2_03222D82
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0317D5E023_2_0317D5E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_032325DD23_2_032325DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0317841F23_2_0317841F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322D46623_2_0322D466
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0318B47723_2_0318B477
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0322449623_2_03224496
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0036E1FC23_2_0036E1FC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00352D9023_2_00352D90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00352D8723_2_00352D87
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00359E3B23_2_00359E3B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00359E4023_2_00359E40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_00352FB023_2_00352FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 23_2_0036E7AF23_2_0036E7AF
          Source: C:\Users\user\Desktop\Order 275594 04-D4E5A.exeCode function: String function: 0197B150 appears 133 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0316B150 appears 136 times
          Source: Order 275594 04-D4E5A.exeBinary or memory string: OriginalFilename vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.304577458.0000000002878000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWindowsNetwork.dll> vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000000.198736088.0000000000012000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEhBr.exe: vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312462947.00000000070B0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312764855.0000000007230000.00000002.00000001.sdmpBinary or memory string: originalfilename vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312764855.0000000007230000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312344309.0000000006E90000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000000.00000002.312695039.00000000071D0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exeBinary or memory string: OriginalFilename vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000011.00000000.299621636.0000000000E02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameEhBr.exe: vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exe, 00000011.00000002.363040639.0000000001A6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exeBinary or memory string: OriginalFilenameEhBr.exe: vs Order 275594 04-D4E5A.exe
          Source: Order 275594 04-D4E5A.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000017.00000002.467643096.0000000000350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.362227114.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000000.299991794.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.362777252.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author =