Loading ...

Play interactive tourEdit tour

Windows Analysis Report mal.pif

Overview

General Information

Sample Name:mal.pif (renamed file extension from pif to exe)
Analysis ID:452374
MD5:b9bca038d7532ec8a1a9ba0e867061bc
SHA1:6596ac1216bf03d88482415755c499ed6388cab4
SHA256:24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • mal.exe (PID: 5944 cmdline: 'C:\Users\user\Desktop\mal.exe' MD5: B9BCA038D7532EC8A1A9BA0E867061BC)
    • mal.exe (PID: 68 cmdline: C:\Users\user\Desktop\mal.exe MD5: B9BCA038D7532EC8A1A9BA0E867061BC)
      • explorer.exe (PID: 3388 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 1328 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 4464 cmdline: /c del 'C:\Users\user\Desktop\mal.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.trendtechpros.com/sm3l/"], "decoy": ["svp-india.com", "feistyflowerfarmers.com", "artprogressive.com", "thedavidweaver.com", "currentputative.life", "bluedot3dwdbuy.com", "xxxmeetme.com", "signify2.com", "converseshoes-canada.com", "schemabuilder.net", "crmcti.com", "mctrh.com", "ringroadpartners.com", "stresslesspilates.com", "directorytexas.xyz", "sarahcarver.com", "diigveda.com", "lifeliveslive.com", "inprize2020.club", "sellerbantuan-bukalapak.com", "thesawbuddy.com", "vtolworldwide.com", "montespc.com", "mylifeinpark.com", "etten-api.com", "plantersam.com", "themcg.net", "tax-account.net", "laurelhomesgroup.com", "epmconsultants.com", "air.guide", "shopfabrique.com", "publicretirementinfo.com", "diversifiedforest.com", "bodurm.com", "aphroditesspiritualshop.com", "vinowolf.com", "teja-online.com", "junion.site", "regenmedica.com", "soulfulparent.com", "elcorazondemama.com", "bench-oat.com", "abrewhomes.com", "premiocovid-19.com", "palmaunlocked.com", "bylauralittle.com", "stikepage.com", "miabogadorolon.com", "hungyivn.com", "interlacer.com", "liang831113.com", "onlinepracticebox.com", "easycookingmastermind.com", "murderofasun.tech", "mybabytennis.com", "margaritagift.com", "utx88.com", "bofengjiaoyegs.com", "reforming-toilets.xyz", "eaoaj.com", "only-king.com", "nearinn.com", "fitsportshop.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x2685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x2171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x2787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x28ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x13ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x8327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x932a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x5409:$sqlite3step: 68 34 1C 7B E1
    • 0x551c:$sqlite3step: 68 34 1C 7B E1
    • 0x5438:$sqlite3text: 68 38 2A 90 C5
    • 0x555d:$sqlite3text: 68 38 2A 90 C5
    • 0x544b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x5573:$sqlite3blob: 68 53 D8 7F 8C
    00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.mal.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.mal.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.mal.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17609:$sqlite3step: 68 34 1C 7B E1
        • 0x1771c:$sqlite3step: 68 34 1C 7B E1
        • 0x17638:$sqlite3text: 68 38 2A 90 C5
        • 0x1775d:$sqlite3text: 68 38 2A 90 C5
        • 0x1764b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17773:$sqlite3blob: 68 53 D8 7F 8C
        2.2.mal.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.mal.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.trendtechpros.com/sm3l/"], "decoy": ["svp-india.com", "feistyflowerfarmers.com", "artprogressive.com", "thedavidweaver.com", "currentputative.life", "bluedot3dwdbuy.com", "xxxmeetme.com", "signify2.com", "converseshoes-canada.com", "schemabuilder.net", "crmcti.com", "mctrh.com", "ringroadpartners.com", "stresslesspilates.com", "directorytexas.xyz", "sarahcarver.com", "diigveda.com", "lifeliveslive.com", "inprize2020.club", "sellerbantuan-bukalapak.com", "thesawbuddy.com", "vtolworldwide.com", "montespc.com", "mylifeinpark.com", "etten-api.com", "plantersam.com", "themcg.net", "tax-account.net", "laurelhomesgroup.com", "epmconsultants.com", "air.guide", "shopfabrique.com", "publicretirementinfo.com", "diversifiedforest.com", "bodurm.com", "aphroditesspiritualshop.com", "vinowolf.com", "teja-online.com", "junion.site", "regenmedica.com", "soulfulparent.com", "elcorazondemama.com", "bench-oat.com", "abrewhomes.com", "premiocovid-19.com", "palmaunlocked.com", "bylauralittle.com", "stikepage.com", "miabogadorolon.com", "hungyivn.com", "interlacer.com", "liang831113.com", "onlinepracticebox.com", "easycookingmastermind.com", "murderofasun.tech", "mybabytennis.com", "margaritagift.com", "utx88.com", "bofengjiaoyegs.com", "reforming-toilets.xyz", "eaoaj.com", "only-king.com", "nearinn.com", "fitsportshop.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: mal.exeVirustotal: Detection: 60%Perma Link
          Source: mal.exeMetadefender: Detection: 20%Perma Link
          Source: mal.exeReversingLabs: Detection: 63%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: mal.exeJoe Sandbox ML: detected
          Source: 2.2.mal.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: mal.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: mal.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe, 0000000F.00000002.469738032.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.trendtechpros.com/sm3l/
          Source: global trafficHTTP traffic detected: GET /sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9+xe6WE7Z8sx0d/816zczOTA6oQi&ixo0sr=dFQtk HTTP/1.1Host: www.mybabytennis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk HTTP/1.1Host: www.sarahcarver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 52.58.78.16 52.58.78.16
          Source: Joe Sandbox ViewIP Address: 209.99.64.55 209.99.64.55
          Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
          Source: Joe Sandbox ViewASN Name: CONFLUENCE-NETWORK-INCVG CONFLUENCE-NETWORK-INCVG
          Source: global trafficHTTP traffic detected: GET /sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9+xe6WE7Z8sx0d/816zczOTA6oQi&ixo0sr=dFQtk HTTP/1.1Host: www.mybabytennis.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sm3l/?y0DdGli=yq5bXiAgrpTP0Cl4DWGobHu0GmgEguW+SJypzbO1DFimS8AGhR5rfP7J/muem3koPRQw&ixo0sr=dFQtk HTTP/1.1Host: www.sarahcarver.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.mybabytennis.com
          Source: explorer.exe, 00000003.00000000.291630599.0000000004DF3000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: mal.exe, 00000000.00000003.204191241.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://en.wikip
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/js/min.js?v2.2
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libg.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/logo.png)
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: mal.exe, 00000000.00000003.204789159.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: mal.exe, 00000000.00000003.204823498.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comi
          Source: mal.exe, 00000000.00000003.204789159.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comig
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: mal.exe, 00000000.00000003.204733994.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.p
          Source: mal.exe, 00000000.00000003.204874236.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comroa
          Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: mal.exe, 00000000.00000003.207578003.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com-mI:
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: mal.exe, 00000000.00000003.207611132.000000000800A000.00000004.00000001.sdmp, mal.exe, 00000000.00000003.207500666.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: mal.exe, 00000000.00000003.209299719.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: mal.exe, 00000000.00000003.208234930.000000000800A000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: mal.exe, 00000000.00000003.209584380.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
          Source: mal.exe, 00000000.00000003.209521434.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
          Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmp, mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
          Source: mal.exe, 00000000.00000003.209584380.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers~
          Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
          Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalice:i
          Source: mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalssys
          Source: mal.exe, 00000000.00000003.210270469.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomF
          Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomde:i
          Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comde:i
          Source: mal.exe, 00000000.00000003.207824329.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.com
          Source: mal.exe, 00000000.00000003.216548086.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comepko
          Source: mal.exe, 00000000.00000003.207998268.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrito
          Source: mal.exe, 00000000.00000003.207578003.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comld9
          Source: mal.exe, 00000000.00000003.207500666.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comsivo
          Source: mal.exe, 00000000.00000003.208751647.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtui
          Source: mal.exe, 00000000.00000003.207782523.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuei
          Source: mal.exe, 00000000.00000003.216548086.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comuetow:
          Source: mal.exe, 00000000.00000003.210571227.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueu
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: mal.exe, 00000000.00000003.204191241.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: mal.exe, 00000000.00000003.204496454.0000000008007000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/D
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: mal.exe, 00000000.00000003.204185338.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0
          Source: mal.exe, 00000000.00000003.204286511.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn8
          Source: mal.exe, 00000000.00000003.204249088.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cns-m_=
          Source: mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/R:
          Source: mal.exe, 00000000.00000003.211735765.0000000008027000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krT
          Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.krn
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: mal.exe, 00000000.00000003.205981661.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//
          Source: mal.exe, 00000000.00000003.205652032.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/49
          Source: mal.exe, 00000000.00000003.206069922.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0-p
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/e:i
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/es-mI:
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/49
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/sys
          Source: mal.exe, 00000000.00000003.205710785.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pt-p
          Source: mal.exe, 00000000.00000003.205981661.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/sys
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
          Source: mal.exe, 00000000.00000003.206216760.0000000008005000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/w:
          Source: mal.exe, 00000000.00000003.211460680.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
          Source: mal.exe, 00000000.00000003.211636615.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.p%zzm
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/All_Inclusive_Vacation_Packages.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/Best_Penny_Stocks.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoB
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/High_Speed_Internet.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lpt
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/Migraine_Pain_Relief.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lp
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/Parental_Control.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBx
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/display.cfm
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/fashion_trends.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxA1
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/find_a_tutor.cfm?fp=syKayxFxS7ngKoWOcFEHaS3GPZbkQaeTz%2FfOPjm6lptoBxA1IN
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/px.js?ch=1
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/px.js?ch=2
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/sk-logabpstatus.php?a=aDNHUmh6Q0JZczhsWUF1VWNMaFBPajRtSXdZNU1RMWxXTi9ia3
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabytennis.com/sm3l/?y0DdGli=KvXnBCtAoO2yHEt5dL0Fxw3RJm1prCWWr0IwHlUk9
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: mal.exe, 00000000.00000003.206412694.0000000008008000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: mal.exe, 00000000.00000003.204113869.000000000800E000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: mal.exe, 00000000.00000003.203919342.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr-3
          Source: mal.exe, 00000000.00000003.204113869.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr.kr
          Source: mal.exe, 00000000.00000003.203969376.000000000800E000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.krB
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.sarahcarver.com
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: http://www.sarahcarver.com/
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: mal.exe, 00000000.00000003.205252766.0000000008008000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comlic&
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: mal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: mal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deZ
          Source: mal.exe, 00000000.00000003.210675196.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deeg
          Source: mal.exe, 00000000.00000003.207276085.000000000800A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deu
          Source: explorer.exe, 00000003.00000000.274814450.0000000008B40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: mal.exe, 00000000.00000003.204709826.0000000008007000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnf
          Source: control.exe, 0000000F.00000002.471576224.00000000050AF000.00000004.00000001.sdmpString found in binary or memory: https://www.domain.com/controlpanel/domaincentral/3.0/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419D60 NtCreateFile,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419E10 NtReadFile,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419E90 NtClose,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419F40 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419E8A NtClose,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00419F3B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045B9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045BA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029F40 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029E10 NtReadFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029E90 NtClose,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029D60 NtCreateFile,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029F3B NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03029E8A NtClose,
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041D14B
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041E224
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00402D87
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00409E40
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00409E3B
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041E6AC
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041DFC7
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00402FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463D466
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458841F
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04641D55
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04642D07
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04570D20
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458D5E0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046425DD
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A2581
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04596E30
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463D616
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04642EF7
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04641FF1
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0464DFCE
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0464E824
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631002
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046428EC
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0458B090
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046420A8
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045A20A0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0457F900
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04594120
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046422AE
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04642B28
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0463DBD2
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_046303DA
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AEBB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302E224
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03012FB0
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302DFC7
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03019E3B
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03019E40
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302E6AC
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03012D87
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_03012D90
          Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0457B150 appears 45 times
          Source: mal.exeBinary or memory string: OriginalFilename vs mal.exe
          Source: mal.exe, 00000002.00000002.303382209.0000000001281000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs mal.exe
          Source: mal.exe, 00000002.00000002.304248088.000000000193F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs mal.exe
          Source: mal.exeBinary or memory string: OriginalFilenameObjectEqualityCompar.exe8 vs mal.exe
          Source: mal.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.mal.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.mal.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.294198475.0000000006254000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303434465.0000000001490000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.302913257.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.469299117.0000000003010000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.303482002.00000000014C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.467414216.00000000001B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: mal.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@2/2
          Source: C:\Users\user\Desktop\mal.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mal.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3040:120:WilError_01
          Source: mal.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\mal.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Users\user\Desktop\mal.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: mal.exeVirustotal: Detection: 60%
          Source: mal.exeMetadefender: Detection: 20%
          Source: mal.exeReversingLabs: Detection: 63%
          Source: unknownProcess created: C:\Users\user\Desktop\mal.exe 'C:\Users\user\Desktop\mal.exe'
          Source: C:\Users\user\Desktop\mal.exeProcess created: C:\Users\user\Desktop\mal.exe C:\Users\user\Desktop\mal.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mal.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\mal.exeProcess created: C:\Users\user\Desktop\mal.exe C:\Users\user\Desktop\mal.exe
          Source: C:\Windows\SysWOW64\control.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\mal.exe'
          Source: C:\Users\user\Desktop\mal.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: mal.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: mal.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe, 0000000F.00000002.469738032.000000000466F000.00000040.00000001.sdmp
          Source: Binary string: control.pdb source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: mal.exe, 00000002.00000002.303734652.0000000001690000.00000040.00000001.sdmp, control.exe
          Source: Binary string: control.pdbUGP source: mal.exe, 00000002.00000002.303620114.0000000001530000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041CEB5 push eax; ret
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041CF6C push eax; ret
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041CF02 push eax; ret
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0041CF0B push eax; ret
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00A97535 push esp; retf
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045CD0D1 push ecx; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302CF02 push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302CF0B push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302CF6C push eax; ret
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0302CEB5 push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85599061274

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x80 0x0E 0xEE
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\mal.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\control.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect virtualization through RDTSC time measurementsShow sources
          Source: C:\Users\user\Desktop\mal.exeRDTSC instruction interceptor: First address: 00000000004098E4 second address: 00000000004098EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\mal.exeRDTSC instruction interceptor: First address: 0000000000409B5E second address: 0000000000409B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 00000000030198E4 second address: 00000000030198EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Windows\SysWOW64\control.exeRDTSC instruction interceptor: First address: 0000000003019B5E second address: 0000000003019B64 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\mal.exeThread delayed: delay time: 922337203685477
          Source: C:\Users\user\Desktop\mal.exe TID: 6020Thread sleep time: -54846s >= -30000s
          Source: C:\Users\user\Desktop\mal.exe TID: 412Thread sleep time: -922337203685477s >= -30000s
          Source: C:\Windows\explorer.exe TID: 4840Thread sleep time: -38000s >= -30000s
          Source: C:\Windows\SysWOW64\control.exe TID: 1320Thread sleep time: -35000s >= -30000s
          Source: C:\Windows\explorer.exeLast function: Thread delayed
          Source: C:\Users\user\Desktop\mal.exeThread delayed: delay time: 54846
          Source: C:\Users\user\Desktop\mal.exeThread delayed: delay time: 922337203685477
          Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
          Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000:
          Source: explorer.exe, 00000003.00000000.254840052.0000000001398000.00000004.00000020.sdmpBinary or memory string: War&Prod_VMware_SATAR
          Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: explorer.exe, 00000003.00000000.273881536.0000000008640000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
          Source: explorer.exe, 00000003.00000000.292643668.00000000055D0000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}V*(E
          Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}~
          Source: explorer.exe, 00000003.00000000.274123090.000000000871F000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
          Source: explorer.exe, 00000003.00000000.274403765.00000000087D1000.00000004.00000001.sdmpBinary or memory string: VMware SATA CD00ices
          Source: explorer.exe, 00000003.00000000.264498703.0000000005603000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b},
          Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: explorer.exe, 00000003.00000000.271180653.0000000008220000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Users\user\Desktop\mal.exeProcess information queried: ProcessInformation
          Source: C:\Users\user\Desktop\mal.exeProcess queried: DebugPort
          Source: C:\Windows\SysWOW64\control.exeProcess queried: DebugPort
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_00409A90 rdtsc
          Source: C:\Users\user\Desktop\mal.exeCode function: 2_2_0040ACD0 LdrLoadDll,
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045AA44B mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0460C450 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_0459746D mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_045F6C0A mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCode function: 15_2_04631C06 mov eax, dword ptr fs:[00000030h]
          Source: C:\Windows\SysWOW64\control.exeCod