Loading ...

Play interactive tourEdit tour

Windows Analysis Report PO07262021.exe

Overview

General Information

Sample Name:PO07262021.exe
Analysis ID:458795
MD5:47a679ec6799a5a2c9212de73d404a83
SHA1:d21c87a07b4701ddf3206aeb534d010dd928116b
SHA256:c2e765b8a42432e042da5c444bdba20b8021bd5e1b022693978b6540fdbddec7
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
.NET source code contains very large strings
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PO07262021.exe (PID: 6688 cmdline: 'C:\Users\user\Desktop\PO07262021.exe' MD5: 47A679EC6799A5A2C9212DE73D404A83)
    • schtasks.exe (PID: 960 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 2388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • PO07262021.exe (PID: 4780 cmdline: C:\Users\user\Desktop\PO07262021.exe MD5: 47A679EC6799A5A2C9212DE73D404A83)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 7024 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • cmd.exe (PID: 6808 cmdline: /c del 'C:\Users\user\Desktop\PO07262021.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6812 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.cryptoinhindi.online/nmks/"], "decoy": ["sunaoto.net", "uddeshyaheen.com", "memesyndicste.com", "wellnessbytanyabawa.com", "winabeel.com", "santabirria.com", "whatmattersindia.com", "3rdimultimedia.com", "koukismile.com", "hellobabymoccs.com", "marziehmakeup.com", "faiyou.com", "redbarnprovisions.com", "odmgl.com", "usevino.xyz", "csyczp.com", "gutfeelings.club", "coscos.xyz", "moodoo.icu", "thedarktechnician.com", "weebwrld.com", "wilsonmantels.com", "biodrains.com", "banqutstaff.com", "solomonislandsforum.com", "yolo-wear.com", "everylastdropinc.com", "dayblindstarstrategies.com", "freelancersarabia.com", "bellasnicolejewelrymd.com", "oscarh.net", "actevate.xyz", "apa168.com", "paintonpurposeofficial.com", "hrvatskepraviceblog.com", "tednme.com", "truverity.study", "militarynotary.com", "advancedhorticulture.com", "bookmyfreelancer.online", "nieght.com", "yabancidiziozetleri.net", "bkoclchain.com", "ahwaday.com", "yandex-deliverry.online", "electronichaven.today", "islamidesign.com", "lagerungen.com", "uneducatedbyamerica.com", "78500605.xyz", "taichiforwellbeingonline.com", "philipsima.com", "ezljdah.com", "auserconsulting.com", "finrowacademy.com", "securitybyicon.com", "craveroots.com", "ppneumatic.com", "neiretec.com", "amazonemea.xyz", "3dpraclabs-virtual-physics.com", "fitnesstrainingco.com", "brsconsortuimltd.com", "rapiddist.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18409:$sqlite3step: 68 34 1C 7B E1
    • 0x1851c:$sqlite3step: 68 34 1C 7B E1
    • 0x18438:$sqlite3text: 68 38 2A 90 C5
    • 0x1855d:$sqlite3text: 68 38 2A 90 C5
    • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.PO07262021.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.PO07262021.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b327:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c32a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.PO07262021.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        7.2.PO07262021.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.2.PO07262021.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a527:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b52a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.cryptoinhindi.online/nmks/"], "decoy": ["sunaoto.net", "uddeshyaheen.com", "memesyndicste.com", "wellnessbytanyabawa.com", "winabeel.com", "santabirria.com", "whatmattersindia.com", "3rdimultimedia.com", "koukismile.com", "hellobabymoccs.com", "marziehmakeup.com", "faiyou.com", "redbarnprovisions.com", "odmgl.com", "usevino.xyz", "csyczp.com", "gutfeelings.club", "coscos.xyz", "moodoo.icu", "thedarktechnician.com", "weebwrld.com", "wilsonmantels.com", "biodrains.com", "banqutstaff.com", "solomonislandsforum.com", "yolo-wear.com", "everylastdropinc.com", "dayblindstarstrategies.com", "freelancersarabia.com", "bellasnicolejewelrymd.com", "oscarh.net", "actevate.xyz", "apa168.com", "paintonpurposeofficial.com", "hrvatskepraviceblog.com", "tednme.com", "truverity.study", "militarynotary.com", "advancedhorticulture.com", "bookmyfreelancer.online", "nieght.com", "yabancidiziozetleri.net", "bkoclchain.com", "ahwaday.com", "yandex-deliverry.online", "electronichaven.today", "islamidesign.com", "lagerungen.com", "uneducatedbyamerica.com", "78500605.xyz", "taichiforwellbeingonline.com", "philipsima.com", "ezljdah.com", "auserconsulting.com", "finrowacademy.com", "securitybyicon.com", "craveroots.com", "ppneumatic.com", "neiretec.com", "amazonemea.xyz", "3dpraclabs-virtual-physics.com", "fitnesstrainingco.com", "brsconsortuimltd.com", "rapiddist.com"]}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exeReversingLabs: Detection: 73%
          Multi AV Scanner detection for submitted fileShow sources
          Source: PO07262021.exeVirustotal: Detection: 58%Perma Link
          Source: PO07262021.exeReversingLabs: Detection: 73%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: PO07262021.exeJoe Sandbox ML: detected
          Source: 7.2.PO07262021.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: PO07262021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: PO07262021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000000.765256590.00000000011D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: cmd.pdb source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F31DC FindFirstFileW,FindNextFileW,FindClose,15_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D85EA memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,15_2_011D85EA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E245C FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove,15_2_011E245C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB89C GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose,15_2_011DB89C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E68BA FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose,15_2_011E68BA
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 4x nop then pop ebx7_2_00407AFE

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.cryptoinhindi.online/nmks/
          Source: global trafficHTTP traffic detected: GET /nmks/?6latBtaX=AODdElP/LvmD82bfBWBMQGTCd+0C8NCj5PjqI400wXLHipc47/wHi7nKSi/3AqembaQc&v2M=nRRXGl0p HTTP/1.1Host: www.winabeel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /nmks/?6latBtaX=AODdElP/LvmD82bfBWBMQGTCd+0C8NCj5PjqI400wXLHipc47/wHi7nKSi/3AqembaQc&v2M=nRRXGl0p HTTP/1.1Host: www.winabeel.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.winabeel.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: PO07262021.exeString found in binary or memory: http://i.imgur.com/blkrqBo.gif
          Source: explorer.exe, 00000009.00000000.735427722.0000000002B50000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: PO07262021.exe, 00000000.00000003.647203244.000000000116D000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnD
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000009.00000000.724367987.000000000B970000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: PO07262021.exeString found in binary or memory: https://static.hummingbird.me/anime/poster_images/000/010/716/large/0fd8df1b586e60a0b1591cd8555c072f

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          .NET source code contains very large stringsShow sources
          Source: PO07262021.exe, Lens.csLong String: Length: 10292
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419D60 NtCreateFile,7_2_00419D60
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419E10 NtReadFile,7_2_00419E10
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419E90 NtClose,7_2_00419E90
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419F40 NtAllocateVirtualMemory,7_2_00419F40
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419E8B NtClose,7_2_00419E8B
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00419F3D NtAllocateVirtualMemory,7_2_00419F3D
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F6D90 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,15_2_011F6D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011FB5E0 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,15_2_011FB5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB42E NtOpenThreadToken,NtOpenProcessToken,NtClose,15_2_011DB42E
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D84BE NtQueryVolumeInformationFile,GetFileInformationByHandleEx,15_2_011D84BE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D58A4 _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp,15_2_011D58A4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB4C0 NtQueryInformationToken,15_2_011DB4C0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DB4F8 NtQueryInformationToken,NtQueryInformationToken,15_2_011DB4F8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D83F2 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError,15_2_011D83F2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F9AB4 NtSetInformationFile,15_2_011F9AB4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9780 NtMapViewOfSection,LdrInitializeThunk,15_2_03AA9780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9FE0 NtCreateMutant,LdrInitializeThunk,15_2_03AA9FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9710 NtQueryInformationToken,LdrInitializeThunk,15_2_03AA9710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA96E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_03AA96E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA96D0 NtCreateKey,LdrInitializeThunk,15_2_03AA96D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A50 NtCreateFile,LdrInitializeThunk,15_2_03AA9A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA99A0 NtCreateSection,LdrInitializeThunk,15_2_03AA99A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA95D0 NtClose,LdrInitializeThunk,15_2_03AA95D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_03AA9910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9540 NtReadFile,LdrInitializeThunk,15_2_03AA9540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9860 NtQuerySystemInformation,LdrInitializeThunk,15_2_03AA9860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9840 NtDelayExecution,LdrInitializeThunk,15_2_03AA9840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA97A0 NtUnmapViewOfSection,15_2_03AA97A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AAA3B0 NtGetContextThread,15_2_03AAA3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9730 NtQueryVirtualMemory,15_2_03AA9730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9B00 NtSetValueKey,15_2_03AA9B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AAA710 NtOpenProcessToken,15_2_03AAA710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9760 NtOpenProcess,15_2_03AA9760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9770 NtSetInformationFile,15_2_03AA9770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AAA770 NtOpenThread,15_2_03AAA770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A80 NtOpenDirectoryObject,15_2_03AA9A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A20 NtResumeThread,15_2_03AA9A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A00 NtProtectVirtualMemory,15_2_03AA9A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9610 NtEnumerateValueKey,15_2_03AA9610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9A10 NtQuerySection,15_2_03AA9A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9660 NtAllocateVirtualMemory,15_2_03AA9660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9670 NtQueryInformationProcess,15_2_03AA9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9650 NtQueryValueKey,15_2_03AA9650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA95F0 NtQueryInformationFile,15_2_03AA95F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA99D0 NtCreateProcessEx,15_2_03AA99D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9520 NtWaitForSingleObject,15_2_03AA9520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AAAD30 NtSetContextThread,15_2_03AAAD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9560 NtWriteFile,15_2_03AA9560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9950 NtQueueApcThread,15_2_03AA9950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA98A0 NtWriteVirtualMemory,15_2_03AA98A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA98F0 NtReadVirtualMemory,15_2_03AA98F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03AA9820 NtEnumerateKey,15_2_03AA9820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E6550: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z,15_2_011E6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E374E InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle,15_2_011E374E
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_004010267_2_00401026
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_004010307_2_00401030
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041D9D87_2_0041D9D8
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041D1AB7_2_0041D1AB
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041D3C47_2_0041D3C4
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041E5F47_2_0041E5F4
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00402D907_2_00402D90
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00409E407_2_00409E40
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00409E3C7_2_00409E3C
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041DFE07_2_0041DFE0
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041DFEC7_2_0041DFEC
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00402FB07_2_00402FB0
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_006A65077_2_006A6507
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F350615_2_011F3506
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E655015_2_011E6550
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E196915_2_011E1969
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D719015_2_011D7190
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F31DC15_2_011F31DC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DD80315_2_011DD803
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DE04015_2_011DE040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D9CF015_2_011D9CF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F5CEA15_2_011F5CEA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D48E615_2_011D48E6
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DCB4815_2_011DCB48
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E5FC815_2_011E5FC8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011F6FF015_2_011F6FF0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DFA3015_2_011DFA30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D522615_2_011D5226
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D5E7015_2_011D5E70
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011D8AD715_2_011D8AD7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9EBB015_2_03A9EBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A86E3015_2_03A86E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A9258115_2_03A92581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7D5E015_2_03A7D5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A60D2015_2_03A60D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A8412015_2_03A84120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A6F90015_2_03A6F900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03B31D5515_2_03B31D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A920A015_2_03A920A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03A7B09015_2_03A7B090
          Source: PO07262021.exe, 00000000.00000000.642212993.00000000006D2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe
          Source: PO07262021.exe, 00000007.00000002.768168332.000000000143F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs PO07262021.exe
          Source: PO07262021.exe, 00000007.00000002.766354813.0000000000792000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe
          Source: PO07262021.exe, 00000007.00000002.768464422.000000000152D000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs PO07262021.exe
          Source: PO07262021.exeBinary or memory string: OriginalFilenamecAlternateFileNameeFixedBuff.exe2 vs PO07262021.exe
          Source: PO07262021.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.PO07262021.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.PO07262021.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.912674126.0000000003A00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.765614509.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.767554983.0000000001150000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.767309184.0000000000D00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.912452970.00000000033D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000F.00000002.911713317.0000000001050000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: PO07262021.exe, Shelf_itemm.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACgAAAAoCAYAAACM/rhtAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAKRJREFUeNpi/P//P8NgBkwMgxyMOnDUgaMOHHXgqANHHTjqwAEGoNYMMgYCeyA+CZIiAm8HYhWaugeLA58T6TgY3ohk/l4S9aLjvejuwRbFEiR6WhGJ/YvCAMTQz0LlFOM5mospBBSnQVo7cDQNjqZBaqTBpyQ66hEt0yC2msSDhNrkEhBr0bKqYxwdWRh14KgDRx046sBRB446cNSBQ9qBAAEGAPhFqjdpHPl0AAAAAElFTkSuQmCC'
          Source: PO07262021.exe, Lens.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAN8AAADHCAYAAACZfIbaAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAB27SURBVHhe7ZyHW5TXtofvP3Gfe+95To4tsQIWVER6b0rv0qUjiF3sBWwgauw5KYoxURMr9koQ0VhQI2rsCIiKgA1bUH937T0zgIbkOPrpR1nz5H0Y1Azz7b3evdba+2P+q4/dEDAM8+lh+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUQmWj2FUguVjGJVg+RhGJVg+hlEJlo9hVILlYxiVYPkYRiVYPoZRCZaPYVSC5WMYlWD5GEYlWD6GUYlmIl8wejdB0/+WYRoj4kRDQ9y0jNhpBvJpB8026E10f84w70Tj2GmIn6ZjrnmgunxykGjAetkGvgULyLwLGtk0MRPwp9hpKuaaCyrKpxkcY7sQ9LUPR3+HKAx0SoKVyyjYuU2E4+BpcHbPgKvHnEbMZRgtFA/us+HiPgtOg2fA3m0SrF3GwNwpBSYOsTC2D2si5poXKsmnXbFolepLgzTAMQZmzsPgMGgKPLwWItBvFUIC1iMyaBuih+widiNGsodhtOzG0OCdiArejvDAjQjwXQVPzyVwHpQBK+dR6G8fJRd2EW/NNQuqJ5+szwNlxrNwTqFsNwFe3otpIH9GUthhjIg8jfHRlzEptpQow+TYcoZpRBkmxpQgLfoaRkeeR2LIYUQEbIOv1zdwcpuJgY6J6GcfQQKGkngaAZuORfVQQT4xCCGyLBCDY+06BoM9sxDkn0MZbgeGRxxDWswlTI4rwfT4O0hPrNZSwzBvMDOxCjMSKjE1rhzjh17CiIgixA3ZjyDfNXAbPA+2LmkkYZKMt962zS/7fWL5RMYTfV6ozHimjvGybg+lEnN4xAmMi76IqfHlmJV0H3OGPcK85CfITHkmyUp5zjD1ZEpEbDzF3ORaGTMzScS06CtIoiwY4rcB7h6LYOMynuItTCMf0XRcqsMnlE9z8aLc7EsZb6BTgtxc8fVZSWVmPmW5SmQkPiThniE75SXmp7xAVvJTZA6rxbxhjxnmT4jYyKQYyUp+TvFSR3HzCrOTHiNt6DUMCzmKYN91VIJmoK9dJMUdlZ6EpvJ6OzbV4ZPJJ5teeaQQABOHaCo3x8odq7DADRgVdZoG7RFmJz6WzIp/iKlDyzA+7DxGBh/HyKBjGBFYiNTAI4T4yrRdRAwcwYigQowecgrjQs9hYsRVzIitxNykZ5iT9BRTY+9gbNQVxATtg4f7lzC1T0Rf2wj0sRXlZ6CMw+Yg4SeVT5zB9LTxl+Wm2B728/0a8aH7MTH2KpUSf2BO4hOkx93HlKgKku0Uot1zEey0GkGO3yDQYSUC7FdoEc+Ztog/zb+//XIEUDyEuqxF1OAtSPTJo4X6EjJo0Z6b9AIZCbWYFleD4WFF8PdaBUuHUTCxjYGxbRh6UfyJONQI2HSsfio+oXyarGdk4wszp2EY5JlFWe9nucEyjfq8hakg+R5TxruDMSG/k3g74WOzFE4DJsPBZALs+4+FXb/RxBhCPGfaJmL+R8t4cDWbCU+rhbRAr0Wy/1FMi75Lme8FQQs5MTbqMkJ818PGMQ2mtvEwtgmDkbWvTAAiAzYVp58SVeQzd06Bh9cieUYzMqoIMxJvY9GI17RyVSEt7DKSfAsQ6PidlM7UMBIDDCOIcImJAdM2ETEQARMRA4Zh8rl5rwRY9x2JQeZzMJSqpIkRNzAr4QmJ95x6wjrq/a4izO9n2DtNIvkSYGwdCgNLTxhZ+VAGDCABRempXvmpinwWzqnw9l6GuJD9GDu0GBlJlfiS5JsRc4t6vJOIpFJisMUcOcDdOzqiRycnGHRygcHnBH3twbQ5NPPvqokBLT07e6B3V19Y9k5CkNN3VDFRLMU/oNLzKeanvMSkmOuI9N8MR6epGGibiD5WIehuNhgGFl7oae0nS081d0A/sXz+Uj5LlxHw8VmBhNA8jIu+gFlJ9/DlyNeYHl2K4QFHEOr6I5xNp8C4qx+++JcZOrezQJf21ujawbaeboKOdkybQTPnXTvY1NO9oz2J6SSzoZ/dcowKPo106vXmJj1B9vBXmBJ7A1EBW+DkPB1mtknoYzkE3Qa6oYe5B4wsddlPPQGbmXw3G8k3Fcbd/NH5X0I8Kylc944O6PG5Iwy/cIZhZxcYET27MK0do87OMPjCSc59j04OUjohZI9OjpQRnWU7opNvZlz1G/INbSyfRTC6DXBB94Ga7Gdk5Yte1iSgjToCNiv5pkn5ChDi8oNWvkDKepb14hl87kwT4Yre3QajT3cPGPfwQF8DT6aV06e7O3p1HSTnXiy8BlJCIR61I1R+6uQbKeSLJfkSdfKVSPmcXXTyBaGriTO6m1L2M3OHoU5AG7H7+ekP4Zu1fH27C/ko67UXJYc9TcBgWPYfgkH2ifAdNBKBnmMR6jsBoX5a6HkI0yoQ8xnmPwHhhO+gVDhbx8CiXzD6G3lTr+dK8UBVUEfNXsAAA618QY3le/ln+cw18nUb4IoeIvuZeZKAPuhp5U8ZkAT8xBmwRcjXpR3V+O3taOB94OM2AqnxCzBt/CrMm74Oi+dtxZKsXCzOzMWX85jWgpjPpfNzsXxBLqaP/wbxERnwchkO24HhMhN2aScWZKqGRNmpt3xUepoOIgHdYWDuJQU0svT75CVoC5DPkrCm3s8G5n2DEBc+i2TbgU1rT2N/7lUc/+UuTh6uwvH8KhzLY1oLJ2g+i45U4cyxKprr45g7/UfEhM7EYIck9DP0xuf/tEbXdvaU/d5TvgFUeppS9hvoocmA5t4aAetL0KbjWElalHyi7BgWnYmvlxzArs2XUHiwAudP1uJ
          Source: PO07262021.exe, NotifactionMSG.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAIJSURBVFhH7Zg9S8RAEED9KddoYWthoxxaKAqKCoocaiFYiApaCZbaXit2thb+Af+DpVhZeNzpiaIoWIjVei8YCMfsZj8SZDGBB0eymXmEzczkBu4nayomKuGyqYTLphIum/8l3JoeUu2lEfWwXlePWzOqu7uonvZXEvjNOa6xhrVSDFe8hFuzw6rTGFPd7Xn1dLBqBWu5h3ulmLY4C7eXR3vJ50QpG7iXGFJsG6yFW1ODqrNWFyV8IBYxpVwmrIQJ/LAxISYOgZiu0lbCRT7Zfogt5dSRK8x+kxIVicueNgrzRrtUgpeTPfV5dZnwdnosrpEgh231MApThqQEOpBMD6SlNTo6jXHRoR+tMIXe5elCiHB3Z8GquWiF6U5SYBMhwkBOySWLVpiWKgU1ESpMTskli1aYOUAKauL5aPNXV6n386a4xgQ5JZcsWuFkkBGC5pEeLlUihZySSxatcDJ1CUHzSA8fYXJKLlkKF/6+u02EpWu5hAj7bokQ4aAt4fPSwdfNtbdw0EvnU9aA9vzaPBSv5RFU1nwaB6JsCfi4OBPXmAhqHNG1Zohq+AHX8dKXwsZLiGqAT4nqEwmi+wgFAhf5pInlKgvWwinstyj+SMnCG00ZonZKUhKs5R7baqDDSziFQk93oqUyByQDE1NeD35zjmussWkKNgQJ/wWVcNlUwmUTmXBN/QCoe2Fr5J6flQAAAABJRU5ErkJggg==', 'iVBORw0KGgoAAAANSUhEUgAAACwAAAAsCAYAAAAehFoBAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAH/SURBVFhH7ZjPKwVRFMf9NTaUtbIhLC2IDXtra2t7ayUsJA8JsbCxsLGgR7yX915Kkli8nWyvPi+3NH3nx713Jk1m6lOvmTvnfJrunHPm9fWv102ZqISLphIumv8jPLh5a4a3783EXtNMHT6auZO2mT/t9OA357jGGtaqGD44Cw9t3ZnR3YaZOWqZhbNOJljLPdyrYrrgJDyy82CmHUSjcC8xVOysZBIe2Lg147WmlPCBWMRUudJIFSbw5H5+shZi+kinCuf5ZKMQW+VMIlGY/aYS5Ynrno4V5o12qQRLF8/moN3tsXL1KtcoyOFSPWKFKUMqQRxI2gNptSaOsVpDOiikMIXe5elCiPDscStzc5HCdCcVOIkQYSCncokihWmpKmgSocLkVC5RpDBzgAqaxOL504+uMas3b3JNEuRULlGkMMOLCpqGPVyqhIWcyiWKFGbiUkHTsIePMDmVS5RchZvdr56wupZGkLDvlggRDtoSPi8dXL9/egsHvXQ+ZQ1oz8uXL/JaGkFlzadxIMqWgLW7D7kmiaDGUbrWDKUafsB1vPQlt/ESSjXAW0r1iQSl+wgFAuf5pInlIwuZhC3st1L8kfIb3mjKELVTSSlYyz0u1SAOZ2ELhZ7uREtlDmB4YeICfnOOa6zJ2hSy4C38V1TCRVMJF00lXDQlE66bb+YGhyafMUw8AAAAAElFTkSuQmCC'
          Source: PO07262021.exe, ThemeContainer.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
          Source: PO07262021.exe, YouPLayer.csBase64 encoded string: 'iVBORw0KGgoAAAANSUhEUgAAAAwAAAAMCAYAAABWdVznAAAACXBIWXMAAAsTAAALEwEAmpwYAAAKT2lDQ1BQaG90b3Nob3AgSUNDIHByb2ZpbGUAAHjanVNnVFPpFj333vRCS4iAlEtvUhUIIFJCi4AUkSYqIQkQSoghodkVUcERRUUEG8igiAOOjoCMFVEsDIoK2AfkIaKOg6OIisr74Xuja9a89+bN/rXXPues852zzwfACAyWSDNRNYAMqUIeEeCDx8TG4eQuQIEKJHAAEAizZCFz/SMBAPh+PDwrIsAHvgABeNMLCADATZvAMByH/w/qQplcAYCEAcB0kThLCIAUAEB6jkKmAEBGAYCdmCZTAKAEAGDLY2LjAFAtAGAnf+bTAICd+Jl7AQBblCEVAaCRACATZYhEAGg7AKzPVopFAFgwABRmS8Q5ANgtADBJV2ZIALC3AMDOEAuyAAgMADBRiIUpAAR7AGDIIyN4AISZABRG8lc88SuuEOcqAAB4mbI8uSQ5RYFbCC1xB1dXLh4ozkkXKxQ2YQJhmkAuwnmZGTKBNA/g88wAAKCRFRHgg/P9eM4Ors7ONo62Dl8t6r8G/yJiYuP+5c+rcEAAAOF0ftH+LC+zGoA7BoBt/qIl7gRoXgugdfeLZrIPQLUAoOnaV/Nw+H48PEWhkLnZ2eXk5NhKxEJbYcpXff5nwl/AV/1s+X48/Pf14L7iJIEyXYFHBPjgwsz0TKUcz5IJhGLc5o9H/LcL//wd0yLESWK5WCoU41EScY5EmozzMqUiiUKSKcUl0v9k4t8s+wM+3zUAsGo+AXuRLahdYwP2SycQWHTA4vcAAPK7b8HUKAgDgGiD4c93/+8//UegJQCAZkmScQAAXkQkLlTKsz/HCAAARKCBKrBBG/TBGCzABhzBBdzBC/xgNoRCJMTCQhBCCmSAHHJgKayCQiiGzbAdKmAv1EAdNMBRaIaTcA4uwlW4Dj1wD/phCJ7BKLyBCQRByAgTYSHaiAFiilgjjggXmYX4IcFIBBKLJCDJiBRRIkuRNUgxUopUIFVIHfI9cgI5h1xGupE7yAAygvyGvEcxlIGyUT3UDLVDuag3GoRGogvQZHQxmo8WoJvQcrQaPYw2oefQq2gP2o8+Q8cwwOgYBzPEbDAuxsNCsTgsCZNjy7EirAyrxhqwVqwDu4n1Y8+xdwQSgUXACTYEd0IgYR5BSFhMWE7YSKggHCQ0EdoJNwkDhFHCJyKTqEu0JroR+cQYYjIxh1hILCPWEo8TLxB7iEPENyQSiUMyJ7mQAkmxpFTSEtJG0m5SI+ksqZs0SBojk8naZGuyBzmULCAryIXkneTD5DPkG+Qh8lsKnWJAcaT4U+IoUspqShnlEOU05QZlmDJBVaOaUt2ooVQRNY9aQq2htlKvUYeoEzR1mjnNgxZJS6WtopXTGmgXaPdpr+h0uhHdlR5Ol9BX0svpR+iX6AP0dwwNhhWDx4hnKBmbGAcYZxl3GK+YTKYZ04sZx1QwNzHrmOeZD5lvVVgqtip8FZHKCpVKlSaVGyovVKmqpqreqgtV81XLVI+pXlN9rkZVM1PjqQnUlqtVqp1Q61MbU2epO6iHqmeob1Q/pH5Z/YkGWcNMw09DpFGgsV/jvMYgC2MZs3gsIWsNq4Z1gTXEJrHN2Xx2KruY/R27iz2qqaE5QzNKM1ezUvOUZj8H45hx+Jx0TgnnKKeX836K3hTvKeIpG6Y0TLkxZVxrqpaXllirSKtRq0frvTau7aedpr1Fu1n7gQ5Bx0onXCdHZ4/OBZ3nU9lT3acKpxZNPTr1ri6qa6UbobtEd79up+6Ynr5egJ5Mb6feeb3n+hx9L/1U/W36p/VHDFgGswwkBtsMzhg8xTVxbzwdL8fb8VFDXcNAQ6VhlWGX4YSRudE8o9VGjUYPjGnGXOMk423GbcajJgYmISZLTepN7ppSTbmmKaY7TDtMx83MzaLN1pk1mz0x1zLnm+eb15vft2BaeFostqi2uGVJsuRaplnutrxuhVo5WaVYVVpds0atna0l1rutu6cRp7lOk06rntZnw7Dxtsm2qbcZsOXYBtuutm22fWFnYhdnt8Wuw+6TvZN9un2N/T0HDYfZDqsdWh1+c7RyFDpWOt6azpzuP33F9JbpL2dYzxDP2DPjthPLKcRpnVOb00dnF2e5c4PziIuJS4LLLpc+Lpsbxt3IveRKdPVxXeF60vWdm7Obwu2o26/uNu5p7ofcn8w0nymeWTNz0MPIQ+BR5dE/C5+VMGvfrH5PQ0+BZ7XnIy9jL5FXrdewt6V3qvdh7xc+9j5yn+M+4zw33jLeWV/MN8C3yLfLT8Nvnl+F30N/I/9k/3r/0QCngCUBZwOJgUGBWwL7+Hp8Ib+OPzrbZfay2e1BjKC5QRVBj4KtguXBrSFoyOyQrSH355jOkc5pDoVQfujW0Adh5mGLw34MJ4WHhVeGP45wiFga0TGXNXfR3ENz30T6RJZE3ptnMU85ry1KNSo+qi5qPNo3ujS6P8YuZlnM1VidWElsSxw5LiquNm5svt/87fOH4p3iC+N7F5gvyF1weaHOwvSFpxapLhIsOpZATIhOOJTwQRAqqBaMJfITdyWOCnnCHcJnIi/RNtGI2ENcKh5O8kgqTXqS7JG8NXkkxTOlLOW5hCepkLxMDUzdmzqeFpp2IG0yPTq9MYOSkZBxQqohTZO2Z+pn5mZ2y6xlhbL+xW6Lty8elQfJa7OQrAVZLQq2QqboVFoo1yoHsmdlV2a/zYnKOZarnivN7cyzytuQN5zvn//tEsIS4ZK2pYZLVy0dWOa9rGo5sjxxedsK4xUFK4ZWBqw8uIq2Km3VT6vtV5eufr0mek1rgV7ByoLBtQFr6wtVCuWFfevc1+1dT1gvWd+1YfqGnRs+FYmKrhTbF5cVf9go3HjlG4dvyr+Z3JS0qavEuWTPZtJm6ebeLZ5bDpaql+aXDm4N2dq0Dd9WtO319kXbL5fNKNu7g7ZDuaO
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@2/1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011DC5CA _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,GetLastError,GetLastError,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,EnterCriticalSection,LeaveCriticalSection,exit,15_2_011DC5CA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011FA0D2 memset,GetDiskFreeSpaceExW,??_V@YAXPAX@Z,15_2_011FA0D2
          Source: C:\Users\user\Desktop\PO07262021.exeFile created: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6812:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2388:120:WilError_01
          Source: C:\Users\user\Desktop\PO07262021.exeMutant created: \Sessions\1\BaseNamedObjects\fKCtYnPDseQYKUqQUyihPKJYaez
          Source: C:\Users\user\Desktop\PO07262021.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB7D9.tmpJump to behavior
          Source: PO07262021.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\PO07262021.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: PO07262021.exeVirustotal: Detection: 58%
          Source: PO07262021.exeReversingLabs: Detection: 73%
          Source: C:\Users\user\Desktop\PO07262021.exeFile read: C:\Users\user\Desktop\PO07262021.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\PO07262021.exe 'C:\Users\user\Desktop\PO07262021.exe'
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'
          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Users\user\Desktop\PO07262021.exe C:\Users\user\Desktop\PO07262021.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO07262021.exe'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Users\user\Desktop\PO07262021.exe C:\Users\user\Desktop\PO07262021.exeJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\PO07262021.exe'Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: PO07262021.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: PO07262021.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000002.912990654.0000000003B5F000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe, 0000000F.00000000.765256590.00000000011D0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: PO07262021.exe, 00000007.00000002.767621920.0000000001190000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: cmd.pdb source: PO07262021.exe, 00000007.00000002.768387188.00000000014E0000.00000040.00000001.sdmp, cmd.exe
          Source: Binary string: wscui.pdb source: explorer.exe, 00000009.00000000.752806137.0000000005A00000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041703E push esi; iretd 7_2_0041704D
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041E36F push ecx; iretd 7_2_0041E380
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041E3D4 push FBA9C29Ch; ret 7_2_0041E3DB
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00417596 push esp; iretd 7_2_004175CC
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_004175A0 push esp; iretd 7_2_004175CC
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041CEB5 push eax; ret 7_2_0041CF08
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041CF6C push eax; ret 7_2_0041CF72
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041CF02 push eax; ret 7_2_0041CF08
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_0041CF0B push eax; ret 7_2_0041CF72
          Source: C:\Users\user\Desktop\PO07262021.exeCode function: 7_2_00416FD2 push 00000035h; retf 7_2_00416FD8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E76BD push ecx; ret 15_2_011E76D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_011E76D1 push ecx; ret 15_2_011E76E4
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 15_2_03ABD0D1 push ecx; ret 15_2_03ABD0E4
          Source: initial sampleStatic PE information: section name: .text entropy: 6.94520727658
          Source: initial sampleStatic PE information: section name: .text entropy: 6.94520727658
          Source: C:\Users\user\Desktop\PO07262021.exeFile created: C:\Users\user\AppData\Roaming\FzGSUpCvLNF.exeJump to dropped file

          Boot Survival:

          barindex
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Users\user\Desktop\PO07262021.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FzGSUpCvLNF' /XML 'C:\Users\user\AppData\Local\Temp\tmpB7D9.tmp'

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8D 0xDE 0xEB
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\PO07262021.exeProcess information set: NOOPENFILEERRORBOX