Loading ...

Play interactive tourEdit tour

Windows Analysis Report PI-0387991.exe

Overview

General Information

Sample Name:PI-0387991.exe
Analysis ID:452542
MD5:655318bec9b30d5a2f2dedf399d87438
SHA1:23f37c9bddcd8393f499fee9b77220765288020c
SHA256:8cd1a5c6360cc1c0e513d4cc39f649bcb33b61c47c4b498b992ea8e9a41a48cd
Tags:exe
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM3
Yara detected FormBook
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PI-0387991.exe (PID: 5736 cmdline: 'C:\Users\user\Desktop\PI-0387991.exe' MD5: 655318BEC9B30D5A2F2DEDF399D87438)
    • RegSvcs.exe (PID: 3328 cmdline: {path} MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • explorer.exe (PID: 5076 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
          • cmd.exe (PID: 4860 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 1064 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.bodymoisturizer.online/q4kr/"], "decoy": ["realmodapk.com", "hanoharuka.com", "shivalikspiritualproducts.com", "womenshealthclinincagra.com", "racketpark.com", "startuporig.com", "azkachinas.com", "klanblog.com", "linuxradio.tools", "siteoficial-liquida.com", "glsbuyer.com", "bestdeez.com", "teens2cash.com", "valleyviewconstruct.com", "myfortniteskins.com", "cambecare.com", "csec2011.com", "idookap.com", "warmwallsrecords.com", "smartmirror.one", "alertreels.com", "oiop.online", "61cratoslot.com", "hispanicassoclv.com", "pennyforyourprep.com", "fayansistanbul.com", "superbartendergigs.club", "herr-nourimann.com", "oatkc.net", "romahony.com", "sportcrea.com", "crystalnieblas.com", "lcmet.com", "nwaymyatthu-mm.com", "edsufferen.club", "apispotlight.com", "shadowcatrecording.com", "capwisefin.com", "themesinsider.com", "kadrisells.com", "db-82.com", "rentyoursubmarine.com", "rin-ronshop.com", "donzfamilia.com", "loyalcollegeofart.com", "socialize.site", "shadesailstructure.com", "smcenterbiz.com", "zcdonghua.com", "1420radiolider.com", "ckenpo.com", "trucksitasa.com", "getthistle.com", "usvisanicaragua.com", "josiemaxwrites.com", "dehaagennutraceuticals.com", "noiaapp.com", "blinbins.com", "getreitive.com", "turmericbar.com", "manifestwealthrightnow.com", "garagekuhn.com", "longviewfinancialadvisor.com", "hallworthcapital.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0xe8af0:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xe8e8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x10ff10:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1102aa:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0xf4b9d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x11bfbd:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0xf4689:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x11baa9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0xf4c9f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x11c0bf:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0xf4e17:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x11c237:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xe98a2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x110cc2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0xf3904:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x11ad24:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xea61a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x111a3a:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0xf9c8f:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1210af:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0xfad32:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0xf6bc1:$sqlite3step: 68 34 1C 7B E1
    • 0xf6cd4:$sqlite3step: 68 34 1C 7B E1
    • 0x11dfe1:$sqlite3step: 68 34 1C 7B E1
    • 0x11e0f4:$sqlite3step: 68 34 1C 7B E1
    • 0xf6bf0:$sqlite3text: 68 38 2A 90 C5
    • 0xf6d15:$sqlite3text: 68 38 2A 90 C5
    • 0x11e010:$sqlite3text: 68 38 2A 90 C5
    • 0x11e135:$sqlite3text: 68 38 2A 90 C5
    • 0xf6c03:$sqlite3blob: 68 53 D8 7F 8C
    • 0xf6d2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x11e023:$sqlite3blob: 68 53 D8 7F 8C
    • 0x11e14b:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000002.497338116.0000000003390000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000002.497338116.0000000003390000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 18 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        8.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x85f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19797:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1a83a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        8.2.RegSvcs.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x166c9:$sqlite3step: 68 34 1C 7B E1
        • 0x167dc:$sqlite3step: 68 34 1C 7B E1
        • 0x166f8:$sqlite3text: 68 38 2A 90 C5
        • 0x1681d:$sqlite3text: 68 38 2A 90 C5
        • 0x1670b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16833:$sqlite3blob: 68 53 D8 7F 8C
        8.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x77f8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18997:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19a3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 5076, ProcessCommandLine: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe', ProcessId: 4860

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.bodymoisturizer.online/q4kr/"], "decoy": ["realmodapk.com", "hanoharuka.com", "shivalikspiritualproducts.com", "womenshealthclinincagra.com", "racketpark.com", "startuporig.com", "azkachinas.com", "klanblog.com", "linuxradio.tools", "siteoficial-liquida.com", "glsbuyer.com", "bestdeez.com", "teens2cash.com", "valleyviewconstruct.com", "myfortniteskins.com", "cambecare.com", "csec2011.com", "idookap.com", "warmwallsrecords.com", "smartmirror.one", "alertreels.com", "oiop.online", "61cratoslot.com", "hispanicassoclv.com", "pennyforyourprep.com", "fayansistanbul.com", "superbartendergigs.club", "herr-nourimann.com", "oatkc.net", "romahony.com", "sportcrea.com", "crystalnieblas.com", "lcmet.com", "nwaymyatthu-mm.com", "edsufferen.club", "apispotlight.com", "shadowcatrecording.com", "capwisefin.com", "themesinsider.com", "kadrisells.com", "db-82.com", "rentyoursubmarine.com", "rin-ronshop.com", "donzfamilia.com", "loyalcollegeofart.com", "socialize.site", "shadesailstructure.com", "smcenterbiz.com", "zcdonghua.com", "1420radiolider.com", "ckenpo.com", "trucksitasa.com", "getthistle.com", "usvisanicaragua.com", "josiemaxwrites.com", "dehaagennutraceuticals.com", "noiaapp.com", "blinbins.com", "getreitive.com", "turmericbar.com", "manifestwealthrightnow.com", "garagekuhn.com", "longviewfinancialadvisor.com", "hallworthcapital.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: PI-0387991.exeVirustotal: Detection: 50%Perma Link
          Source: PI-0387991.exeReversingLabs: Detection: 43%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.497338116.0000000003390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.377469940.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.498996789.00000000039D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.377521591.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.377252491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.499283578.0000000003A00000.00000004.00000001.sdmp, type: MEMORY
          Machine Learning detection for sampleShow sources
          Source: PI-0387991.exeJoe Sandbox ML: detected
          Source: 8.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PI-0387991.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PI-0387991.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: RegSvcs.exe, 00000008.00000002.379492526.0000000003050000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.342044175.0000000006FE0000.00000002.00000001.sdmp
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.501905978.0000000005AE7000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.378058116.00000000012C0000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.501377974.00000000056CF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, explorer.exe
          Source: Binary string: explorer.pdb source: RegSvcs.exe, 00000008.00000002.379492526.0000000003050000.00000040.00000001.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.501905978.0000000005AE7000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.342044175.0000000006FE0000.00000002.00000001.sdmp
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop edi8_2_004162D8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 4x nop then pop edi10_2_033A62D8

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49696 -> 162.241.2.50:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49696 -> 162.241.2.50:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49696 -> 162.241.2.50:80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.bodymoisturizer.online/q4kr/
          Source: global trafficHTTP traffic detected: GET /q4kr/?m4z=hZWT6D&KdPxHVdh=stDcKtJiFThdGrRpndYyQbsbrCSX1QkCWnDTnTci+riMDIV/FP53rWURHHZjowo3ayyv HTTP/1.1Host: www.romahony.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /q4kr/?m4z=hZWT6D&KdPxHVdh=8Twh4s36gZRno0YiIaK1Aog0Jq5SRxj1tGC/kNtcN6cj6UbdIOqmSeR7M7wA7kAlsS0+ HTTP/1.1Host: www.idookap.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /q4kr/?KdPxHVdh=UTB9cmVppYOj/UC3W28IAi1vRKY7uisBtiUczDixbM3KLxocs5bu1DNZcq72D06e9ENr&m4z=hZWT6D HTTP/1.1Host: www.siteoficial-liquida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /q4kr/?m4z=hZWT6D&KdPxHVdh=+adpk/1z85ABQgFM8KoV7nh2RN9wNRyN3NacL4PKZthW2WB1UYKLVSKaUBe2HmITnYf8 HTTP/1.1Host: www.hispanicassoclv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: WEST263GO-HKWest263InternationalLimitedHK WEST263GO-HKWest263InternationalLimitedHK
          Source: Joe Sandbox ViewASN Name: OIS1US OIS1US
          Source: global trafficHTTP traffic detected: GET /q4kr/?m4z=hZWT6D&KdPxHVdh=stDcKtJiFThdGrRpndYyQbsbrCSX1QkCWnDTnTci+riMDIV/FP53rWURHHZjowo3ayyv HTTP/1.1Host: www.romahony.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /q4kr/?m4z=hZWT6D&KdPxHVdh=8Twh4s36gZRno0YiIaK1Aog0Jq5SRxj1tGC/kNtcN6cj6UbdIOqmSeR7M7wA7kAlsS0+ HTTP/1.1Host: www.idookap.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /q4kr/?KdPxHVdh=UTB9cmVppYOj/UC3W28IAi1vRKY7uisBtiUczDixbM3KLxocs5bu1DNZcq72D06e9ENr&m4z=hZWT6D HTTP/1.1Host: www.siteoficial-liquida.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /q4kr/?m4z=hZWT6D&KdPxHVdh=+adpk/1z85ABQgFM8KoV7nh2RN9wNRyN3NacL4PKZthW2WB1UYKLVSKaUBe2HmITnYf8 HTTP/1.1Host: www.hispanicassoclv.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.romahony.com
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 22 Jul 2021 13:06:49 GMTServer: Apache/2.4.41 (Ubuntu)Status: 404 Not FoundVary: Accept-Encodingreferer: http://image.baidu.comContent-Length: 0Connection: closeContent-Type: text/html;charset=utf-8;
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: PI-0387991.exe, 00000000.00000003.235322005.0000000005F7E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: PI-0387991.exe, 00000000.00000003.235286861.0000000005F7E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comUfee
          Source: PI-0387991.exe, 00000000.00000003.235173657.0000000005F7E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com_f
          Source: PI-0387991.exe, 00000000.00000003.235173657.0000000005F7E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.come
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: PI-0387991.exe, 00000000.00000003.235286861.0000000005F7E000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.
          Source: PI-0387991.exe, 00000000.00000003.235106286.0000000001A0C000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comporFxlei
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: PI-0387991.exe, 00000000.00000003.239980062.0000000001A0B000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/de
          Source: explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: PI-0387991.exe, 00000000.00000003.320350638.0000000005F50000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: PI-0387991.exe, 00000000.00000003.320350638.0000000005F50000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: PI-0387991.exe, 00000000.00000003.234500396.0000000005F7E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn-i-d)
          Source: PI-0387991.exe, 00000000.00000003.234373089.0000000005F7B000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: PI-0387991.exe, 00000000.00000003.243163796.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm3
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, PI-0387991.exe, 00000000.00000003.237137879.0000000005F5C000.00000004.00000001.sdmp, PI-0387991.exe, 00000000.00000003.236602049.0000000005F5B000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: PI-0387991.exe, 00000000.00000003.237137879.0000000005F5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
          Source: PI-0387991.exe, 00000000.00000003.237137879.0000000005F5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: PI-0387991.exe, 00000000.00000003.236914102.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/f
          Source: PI-0387991.exe, 00000000.00000003.237137879.0000000005F5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: PI-0387991.exe, 00000000.00000003.236232775.0000000005F53000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/)
          Source: PI-0387991.exe, 00000000.00000003.237137879.0000000005F5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/7
          Source: PI-0387991.exe, 00000000.00000003.237137879.0000000005F5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k-e
          Source: PI-0387991.exe, 00000000.00000003.235849740.0000000005F53000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/oil
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, PI-0387991.exe, 00000000.00000003.232499400.0000000001A0C000.00000004.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: PI-0387991.exe, 00000000.00000003.232499400.0000000001A0C000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comd
          Source: PI-0387991.exe, 00000000.00000003.232499400.0000000001A0C000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comx
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: PI-0387991.exe, 00000000.00000003.234687612.0000000005F5B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com~
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: PI-0387991.exe, 00000000.00000002.326631678.00000000060C0000.00000002.00000001.sdmp, explorer.exe, 00000009.00000000.347910167.000000000BC30000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PI-0387991.exe, 00000000.00000003.234998306.0000000005F7D000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cne
          Source: PI-0387991.exe, 00000000.00000003.235106286.0000000001A0C000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnobt

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.497338116.0000000003390000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.377469940.0000000000E30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.498996789.00000000039D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.377521591.0000000000E60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.377252491.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.499283578.0000000003A00000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.497338116.0000000003390000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.497338116.0000000003390000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.377469940.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.377469940.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.498996789.00000000039D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.498996789.00000000039D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.377521591.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.377521591.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000008.00000002.377252491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000008.00000002.377252491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.499283578.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.499283578.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004181D0 NtCreateFile,8_2_004181D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00418280 NtReadFile,8_2_00418280
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00418300 NtClose,8_2_00418300
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004183B0 NtAllocateVirtualMemory,8_2_004183B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004181CD NtCreateFile,8_2_004181CD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004182FA NtClose,8_2_004182FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004183AA NtAllocateVirtualMemory,8_2_004183AA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329910 NtAdjustPrivilegesToken,LdrInitializeThunk,8_2_01329910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013299A0 NtCreateSection,LdrInitializeThunk,8_2_013299A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329860 NtQuerySystemInformation,LdrInitializeThunk,8_2_01329860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329840 NtDelayExecution,LdrInitializeThunk,8_2_01329840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013298F0 NtReadVirtualMemory,LdrInitializeThunk,8_2_013298F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329A20 NtResumeThread,LdrInitializeThunk,8_2_01329A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329A00 NtProtectVirtualMemory,LdrInitializeThunk,8_2_01329A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329A50 NtCreateFile,LdrInitializeThunk,8_2_01329A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329540 NtReadFile,LdrInitializeThunk,8_2_01329540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013295D0 NtClose,LdrInitializeThunk,8_2_013295D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329710 NtQueryInformationToken,LdrInitializeThunk,8_2_01329710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013297A0 NtUnmapViewOfSection,LdrInitializeThunk,8_2_013297A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329780 NtMapViewOfSection,LdrInitializeThunk,8_2_01329780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329FE0 NtCreateMutant,LdrInitializeThunk,8_2_01329FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329660 NtAllocateVirtualMemory,LdrInitializeThunk,8_2_01329660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013296E0 NtFreeVirtualMemory,LdrInitializeThunk,8_2_013296E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329950 NtQueueApcThread,8_2_01329950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013299D0 NtCreateProcessEx,8_2_013299D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329820 NtEnumerateKey,8_2_01329820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0132B040 NtSuspendThread,8_2_0132B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013298A0 NtWriteVirtualMemory,8_2_013298A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329B00 NtSetValueKey,8_2_01329B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0132A3B0 NtGetContextThread,8_2_0132A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329A10 NtQuerySection,8_2_01329A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329A80 NtOpenDirectoryObject,8_2_01329A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0132AD30 NtSetContextThread,8_2_0132AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329520 NtWaitForSingleObject,8_2_01329520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329560 NtWriteFile,8_2_01329560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013295F0 NtQueryInformationFile,8_2_013295F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329730 NtQueryVirtualMemory,8_2_01329730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0132A710 NtOpenProcessToken,8_2_0132A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329770 NtSetInformationFile,8_2_01329770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0132A770 NtOpenThread,8_2_0132A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329760 NtOpenProcess,8_2_01329760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329610 NtEnumerateValueKey,8_2_01329610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329670 NtQueryInformationProcess,8_2_01329670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01329650 NtQueryValueKey,8_2_01329650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013296D0 NtCreateKey,8_2_013296D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619540 NtReadFile,LdrInitializeThunk,10_2_05619540
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_05619910
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056195D0 NtClose,LdrInitializeThunk,10_2_056195D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056199A0 NtCreateSection,LdrInitializeThunk,10_2_056199A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619860 NtQuerySystemInformation,LdrInitializeThunk,10_2_05619860
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619840 NtDelayExecution,LdrInitializeThunk,10_2_05619840
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619710 NtQueryInformationToken,LdrInitializeThunk,10_2_05619710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619FE0 NtCreateMutant,LdrInitializeThunk,10_2_05619FE0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619780 NtMapViewOfSection,LdrInitializeThunk,10_2_05619780
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_05619660
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619650 NtQueryValueKey,LdrInitializeThunk,10_2_05619650
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619A50 NtCreateFile,LdrInitializeThunk,10_2_05619A50
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056196E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_056196E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056196D0 NtCreateKey,LdrInitializeThunk,10_2_056196D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619560 NtWriteFile,10_2_05619560
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619950 NtQueueApcThread,10_2_05619950
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619520 NtWaitForSingleObject,10_2_05619520
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0561AD30 NtSetContextThread,10_2_0561AD30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056195F0 NtQueryInformationFile,10_2_056195F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056199D0 NtCreateProcessEx,10_2_056199D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0561B040 NtSuspendThread,10_2_0561B040
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619820 NtEnumerateKey,10_2_05619820
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056198F0 NtReadVirtualMemory,10_2_056198F0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056198A0 NtWriteVirtualMemory,10_2_056198A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619760 NtOpenProcess,10_2_05619760
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619770 NtSetInformationFile,10_2_05619770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0561A770 NtOpenThread,10_2_0561A770
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619730 NtQueryVirtualMemory,10_2_05619730
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619B00 NtSetValueKey,10_2_05619B00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0561A710 NtOpenProcessToken,10_2_0561A710
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056197A0 NtUnmapViewOfSection,10_2_056197A0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0561A3B0 NtGetContextThread,10_2_0561A3B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619670 NtQueryInformationProcess,10_2_05619670
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619A20 NtResumeThread,10_2_05619A20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619A00 NtProtectVirtualMemory,10_2_05619A00
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619610 NtEnumerateValueKey,10_2_05619610
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619A10 NtQuerySection,10_2_05619A10
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_05619A80 NtOpenDirectoryObject,10_2_05619A80
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033A8300 NtClose,10_2_033A8300
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033A83B0 NtAllocateVirtualMemory,10_2_033A83B0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033A8280 NtReadFile,10_2_033A8280
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033A81D0 NtCreateFile,10_2_033A81D0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033A83AA NtAllocateVirtualMemory,10_2_033A83AA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033A82FA NtClose,10_2_033A82FA
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033A81CD NtCreateFile,10_2_033A81CD
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D31A80_2_019D31A8
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D10C80_2_019D10C8
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D22A80_2_019D22A8
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D18800_2_019D1880
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D5A500_2_019D5A50
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D1D600_2_019D1D60
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D41B80_2_019D41B8
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D41A80_2_019D41A8
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D30B10_2_019D30B1
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D10160_2_019D1016
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D50380_2_019D5038
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D50480_2_019D5048
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D53F80_2_019D53F8
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D229A0_2_019D229A
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D04800_2_019D0480
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D54080_2_019D5408
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D04720_2_019D0472
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D36910_2_019D3691
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D36A00_2_019D36A0
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D56190_2_019D5619
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D56280_2_019D5628
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D58880_2_019D5888
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D58780_2_019D5878
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D18700_2_019D1870
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D5A400_2_019D5A40
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D4D300_2_019D4D30
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D4D200_2_019D4D20
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D1D510_2_019D1D51
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_05903FD00_2_05903FD0
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059009800_2_05900980
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_0590602D0_2_0590602D
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059014460_2_05901446
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_05903FC00_2_05903FC0
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059016290_2_05901629
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_05900E500_2_05900E50
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059019800_2_05901980
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059019B00_2_059019B0
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059009700_2_05900970
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059000FF0_2_059000FF
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059000070_2_05900007
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059000400_2_05900040
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_059013900_2_05901390
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_0590138A0_2_0590138A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004010308_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004011748_2_00401174
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004012FB8_2_004012FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041A3028_2_0041A302
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041CBDF8_2_0041CBDF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041CBF88_2_0041CBF8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408C6B8_2_00408C6B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00408C708_2_00408C70
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041B4B68_2_0041B4B6
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00402D878_2_00402D87
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00402D908_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041B67D8_2_0041B67D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041CF418_2_0041CF41
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041B76D8_2_0041B76D
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00402FB08_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013041208_2_01304120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012EF9008_2_012EF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013A10028_2_013A1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012FB0908_2_012FB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0131EBB08_2_0131EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_012E0D208_2_012E0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_013B1D558_2_013B1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_01306E308_2_01306E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_056A1D5510_2_056A1D55
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_055DF90010_2_055DF900
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_055D0D2010_2_055D0D20
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_055F412010_2_055F4120
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_055ED5E010_2_055ED5E0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_055E841F10_2_055E841F
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0569100210_2_05691002
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_055EB09010_2_055EB090
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0560EBB010_2_0560EBB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_055F6E3010_2_055F6E30
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033AA30210_2_033AA302
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033ACBF810_2_033ACBF8
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033ACBDF10_2_033ACBDF
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033ACF4110_2_033ACF41
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03392FB010_2_03392FB0
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033AB67D10_2_033AB67D
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03392D9010_2_03392D90
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03392D8710_2_03392D87
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03398C7010_2_03398C70
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_03398C6B10_2_03398C6B
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033AB4B610_2_033AB4B6
          Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 055DB150 appears 32 times
          Source: PI-0387991.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: PI-0387991.exe, 00000000.00000000.228213118.000000000106D000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameCVhq8.exe2 vs PI-0387991.exe
          Source: PI-0387991.exe, 00000000.00000002.326381081.0000000005F20000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameResource_Meter.dll> vs PI-0387991.exe
          Source: PI-0387991.exe, 00000000.00000002.325475852.0000000005860000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs PI-0387991.exe
          Source: PI-0387991.exe, 00000000.00000002.330341241.0000000007E90000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMajorRevision.exe< vs PI-0387991.exe
          Source: PI-0387991.exeBinary or memory string: OriginalFilenameCVhq8.exe2 vs PI-0387991.exe
          Source: PI-0387991.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 8.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.322811703.0000000004381000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.497338116.0000000003390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.497338116.0000000003390000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.377469940.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.377469940.0000000000E30000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.498996789.00000000039D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.498996789.00000000039D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.377521591.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.377521591.0000000000E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000008.00000002.377252491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000008.00000002.377252491.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.499283578.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.499283578.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: PI-0387991.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.evad.winEXE@7/1@5/3
          Source: C:\Users\user\Desktop\PI-0387991.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PI-0387991.exe.logJump to behavior
          Source: C:\Users\user\Desktop\PI-0387991.exeMutant created: \Sessions\1\BaseNamedObjects\QXSFoHSgVnhv
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1064:120:WilError_01
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
          Source: PI-0387991.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PI-0387991.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PI-0387991.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PI-0387991.exeVirustotal: Detection: 50%
          Source: PI-0387991.exeReversingLabs: Detection: 43%
          Source: unknownProcess created: C:\Users\user\Desktop\PI-0387991.exe 'C:\Users\user\Desktop\PI-0387991.exe'
          Source: C:\Users\user\Desktop\PI-0387991.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PI-0387991.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
          Source: C:\Users\user\Desktop\PI-0387991.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PI-0387991.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PI-0387991.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: explorer.pdbUGP source: RegSvcs.exe, 00000008.00000002.379492526.0000000003050000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.342044175.0000000006FE0000.00000002.00000001.sdmp
          Source: Binary string: RegSvcs.pdb, source: explorer.exe, 0000000A.00000002.501905978.0000000005AE7000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000008.00000002.378058116.00000000012C0000.00000040.00000001.sdmp, explorer.exe, 0000000A.00000002.501377974.00000000056CF000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, explorer.exe
          Source: Binary string: explorer.pdb source: RegSvcs.exe, 00000008.00000002.379492526.0000000003050000.00000040.00000001.sdmp
          Source: Binary string: RegSvcs.pdb source: explorer.exe, 0000000A.00000002.501905978.0000000005AE7000.00000004.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.342044175.0000000006FE0000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: PI-0387991.exe, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.PI-0387991.exe.f90000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.PI-0387991.exe.f90000.0.unpack, uNotepad/Form1.cs.Net Code: TGBNJUYHFDERWS System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_00FEE9EE push ss; iretd 0_2_00FEE9F4
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_019D61E9 push ebx; iretd 0_2_019D61EA
          Source: C:\Users\user\Desktop\PI-0387991.exeCode function: 0_2_05909235 push FFFFFF8Bh; iretd 0_2_05909237
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004161E2 push ecx; iretd 8_2_004161E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041C309 pushfd ; iretd 8_2_0041C30A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041B3C5 push eax; ret 8_2_0041B418
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041B47C push eax; ret 8_2_0041B482
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041B412 push eax; ret 8_2_0041B418
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0041B41B push eax; ret 8_2_0041B482
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00415F53 pushfd ; iretd 8_2_00415F86
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_004157CE push edi; ret 8_2_004157D4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_00415F93 pushfd ; iretd 8_2_00415F86
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 8_2_0133D0D1 push ecx; ret 8_2_0133D0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_0562D0D1 push ecx; ret 10_2_0562D0E4
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033AC309 pushfd ; iretd 10_2_033AC30A
          Source: C:\Windows\SysWOW64\explorer.exeCode function: 10_2_033AB3C5 push eax; ret 10_2_033AB418
          Source: C:\Windows\SysWOW64\explo