Loading ...

Play interactive tourEdit tour

Windows Analysis Report 010013.exe

Overview

General Information

Sample Name:010013.exe
Analysis ID:501987
MD5:b670879d45e75eb7f88fe047f9e88e5f
SHA1:7497d669a327aebf33ec9dd1c554444d4ee826cf
SHA256:ec427d5a521cdc4f2690ac7ffa883c982c4e3008991127998b0cfdf32f240f30
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Uses netsh to modify the Windows network and firewall settings
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses schtasks.exe or at.exe to add and modify task schedules
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Drops PE files
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 010013.exe (PID: 1568 cmdline: 'C:\Users\user\Desktop\010013.exe' MD5: B670879D45E75EB7F88FE047F9E88E5F)
    • schtasks.exe (PID: 6420 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ELqDlkdxF' /XML 'C:\Users\user\AppData\Local\Temp\tmp30F5.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • 010013.exe (PID: 2128 cmdline: C:\Users\user\Desktop\010013.exe MD5: B670879D45E75EB7F88FE047F9E88E5F)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • netsh.exe (PID: 6648 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: A0AA3322BB46BBFC36AB9DC1DBBBB807)
          • cmd.exe (PID: 6680 cmdline: /c del 'C:\Users\user\Desktop\010013.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6600 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nocodehost.com/o4ms/"], "decoy": ["fishingboatpub.com", "trebor72.com", "qualitycleanaustralia.com", "amphilykenyx.com", "jayte90.net", "alveegrace.com", "le-fleursoleil.com", "volumoffer.com", "businessbookwriters.com", "alpin-art.com", "firsttastetogo.com", "catofc.com", "ref-290.com", "sbo2008.com", "fortlauderdaleelevators.com", "shanghaiyalian.com", "majestybags.com", "afcerd.com", "myceliated.com", "ls0a.com", "chautauquapistolpermit.com", "cq1937.com", "riafellowship.com", "sjzlyk120.com", "onlinerebatemall.com", "bjlmzmd.com", "services-neetflix-info.info", "khaapa.com", "thehgboutique.com", "iconndigital.com", "ninjavendas.com", "zeonyej.icu", "iddqdtrk.com", "taoy360.info", "conanagent.icu", "mobileflirting.online", "lorrainelevis.com", "bakerrepublic.com", "tfi50.net", "mildlobr.com", "turnkeypet.com", "instarmall.com", "contilnetnoticias.website", "symbiocrm.com", "earn074.com", "swapf.com", "daveydavisphotography.com", "notes2nobody.com", "pensje.net", "nanoplastiakopoma.com", "inlandempiresublease.com", "donaldjtryump.com", "secondinningseva.com", "zumohub.xyz", "torbiedesigns.com", "koastedco.com", "lifestyleeve.com", "purposepalacevenue.com", "risk-managements.com", "doluhediye.com", "revolutionarylightworkers.com", "smithridge.net", "share-store.net", "jastalks.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b317:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183f9:$sqlite3step: 68 34 1C 7B E1
    • 0x1850c:$sqlite3step: 68 34 1C 7B E1
    • 0x18428:$sqlite3text: 68 38 2A 90 C5
    • 0x1854d:$sqlite3text: 68 38 2A 90 C5
    • 0x1843b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18563:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.707504669.0000000002932000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      0000000A.00000002.946308556.0000000002F00000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 25 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.010013.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.010013.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a517:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.2.010013.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x175f9:$sqlite3step: 68 34 1C 7B E1
          • 0x1770c:$sqlite3step: 68 34 1C 7B E1
          • 0x17628:$sqlite3text: 68 38 2A 90 C5
          • 0x1774d:$sqlite3text: 68 38 2A 90 C5
          • 0x1763b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17763:$sqlite3blob: 68 53 D8 7F 8C
          0.2.010013.exe.2912ec4.1.raw.unpackJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
            6.2.010013.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
              Click to see the 3 entries

              Sigma Overview

              No Sigma rule has matched

              Jbx Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: 0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nocodehost.com/o4ms/"], "decoy": ["fishingboatpub.com", "trebor72.com", "qualitycleanaustralia.com", "amphilykenyx.com", "jayte90.net", "alveegrace.com", "le-fleursoleil.com", "volumoffer.com", "businessbookwriters.com", "alpin-art.com", "firsttastetogo.com", "catofc.com", "ref-290.com", "sbo2008.com", "fortlauderdaleelevators.com", "shanghaiyalian.com", "majestybags.com", "afcerd.com", "myceliated.com", "ls0a.com", "chautauquapistolpermit.com", "cq1937.com", "riafellowship.com", "sjzlyk120.com", "onlinerebatemall.com", "bjlmzmd.com", "services-neetflix-info.info", "khaapa.com", "thehgboutique.com", "iconndigital.com", "ninjavendas.com", "zeonyej.icu", "iddqdtrk.com", "taoy360.info", "conanagent.icu", "mobileflirting.online", "lorrainelevis.com", "bakerrepublic.com", "tfi50.net", "mildlobr.com", "turnkeypet.com", "instarmall.com", "contilnetnoticias.website", "symbiocrm.com", "earn074.com", "swapf.com", "daveydavisphotography.com", "notes2nobody.com", "pensje.net", "nanoplastiakopoma.com", "inlandempiresublease.com", "donaldjtryump.com", "secondinningseva.com", "zumohub.xyz", "torbiedesigns.com", "koastedco.com", "lifestyleeve.com", "purposepalacevenue.com", "risk-managements.com", "doluhediye.com", "revolutionarylightworkers.com", "smithridge.net", "share-store.net", "jastalks.com"]}
              Multi AV Scanner detection for submitted fileShow sources
              Source: 010013.exeVirustotal: Detection: 39%Perma Link
              Source: 010013.exeReversingLabs: Detection: 32%
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 6.2.010013.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.010013.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.946308556.0000000002F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.735504885.0000000006BF7000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.772997632.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.752185973.0000000006BF7000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.773808293.0000000000E70000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.946245801.0000000002BC0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.774956721.00000000011E0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.707936847.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\ELqDlkdxF.exeReversingLabs: Detection: 32%
              Source: 6.2.010013.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
              Source: 010013.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 010013.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: netsh.pdb source: 010013.exe, 00000006.00000002.775295184.0000000002D60000.00000040.00020000.sdmp
              Source: Binary string: wntdll.pdbUGP source: 010013.exe, 00000006.00000002.774373075.0000000000FCF000.00000040.00000001.sdmp, netsh.exe, 0000000A.00000002.947117208.00000000034CF000.00000040.00000001.sdmp
              Source: Binary string: netsh.pdbGCTL source: 010013.exe, 00000006.00000002.775295184.0000000002D60000.00000040.00020000.sdmp
              Source: Binary string: wntdll.pdb source: 010013.exe, 00000006.00000002.774373075.0000000000FCF000.00000040.00000001.sdmp, netsh.exe
              Source: C:\Users\user\Desktop\010013.exeCode function: 4x nop then pop edi6_2_0040E431
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 4x nop then pop edi10_2_008CE431

              Networking:

              barindex
              System process connects to network (likely due to code injection or exploit)Show sources
              Source: C:\Windows\explorer.exeDomain query: www.smithridge.net
              Source: C:\Windows\explorer.exeDomain query: www.lifestyleeve.com
              Source: C:\Windows\explorer.exeDomain query: www.myceliated.com
              Source: C:\Windows\explorer.exeNetwork Connect: 199.59.242.153 80Jump to behavior
              C2 URLs / IPs found in malware configurationShow sources
              Source: Malware configuration extractorURLs: www.nocodehost.com/o4ms/
              Source: Joe Sandbox ViewASN Name: BODIS-NJUS BODIS-NJUS
              Source: global trafficHTTP traffic detected: GET /o4ms/?X61HiLc=8GNZfXhxkQPDp/0Q3wwiQDJ4fZPKroBOtzHsTvHuSmq05FSo/HrWX19J684oFY+7hHWk&jHPhl=5jo4ZxbHw HTTP/1.1Host: www.lifestyleeve.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: Joe Sandbox ViewIP Address: 199.59.242.153 199.59.242.153
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
              Source: 010013.exe, 00000000.00000002.707455914.00000000028F1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
              Source: 010013.exe, 00000000.00000002.707504669.0000000002932000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
              Source: 010013.exe, 00000000.00000002.707101659.0000000000F47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comFB
              Source: 010013.exe, 00000000.00000002.707101659.0000000000F47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comldco
              Source: 010013.exe, 00000000.00000002.707101659.0000000000F47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comoitu
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
              Source: 010013.exe, 00000000.00000002.714167575.0000000006A02000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
              Source: netsh.exe, 0000000A.00000002.947588585.0000000003DCF000.00000004.00020000.sdmpString found in binary or memory: https://fonts.googleapis.com
              Source: netsh.exe, 0000000A.00000002.947588585.0000000003DCF000.00000004.00020000.sdmpString found in binary or memory: https://parking.bodiscdn.com
              Source: netsh.exe, 0000000A.00000002.947588585.0000000003DCF000.00000004.00020000.sdmpString found in binary or memory: https://www.google.com
              Source: unknownDNS traffic detected: queries for: www.smithridge.net
              Source: global trafficHTTP traffic detected: GET /o4ms/?X61HiLc=8GNZfXhxkQPDp/0Q3wwiQDJ4fZPKroBOtzHsTvHuSmq05FSo/HrWX19J684oFY+7hHWk&jHPhl=5jo4ZxbHw HTTP/1.1Host: www.lifestyleeve.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
              Source: 010013.exe, 00000000.00000002.706837713.0000000000CAA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

              E-Banking Fraud:

              barindex
              Yara detected FormBookShow sources
              Source: Yara matchFile source: 6.2.010013.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 6.2.010013.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.946308556.0000000002F00000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.735504885.0000000006BF7000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.772997632.0000000000400000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000000.752185973.0000000006BF7000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.773808293.0000000000E70000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000A.00000002.946245801.0000000002BC0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000006.00000002.774956721.00000000011E0000.00000040.00020000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.707936847.00000000038F9000.00000004.00000001.sdmp, type: MEMORY

              System Summary:

              barindex
              Malicious sample detected (through community Yara rule)Show sources
              Source: 6.2.010013.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 6.2.010013.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 6.2.010013.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 6.2.010013.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000A.00000002.946308556.0000000002F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000A.00000002.946308556.0000000002F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000000.735504885.0000000006BF7000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000007.00000000.735504885.0000000006BF7000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000002.772997632.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000006.00000002.772997632.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000007.00000000.752185973.0000000006BF7000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000007.00000000.752185973.0000000006BF7000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000002.773808293.0000000000E70000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000006.00000002.773808293.0000000000E70000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 0000000A.00000002.946245801.0000000002BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 0000000A.00000002.946245801.0000000002BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000006.00000002.774956721.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000006.00000002.774956721.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 00000000.00000002.707936847.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
              Source: 00000000.00000002.707936847.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
              Source: 010013.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
              Source: 6.2.010013.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 6.2.010013.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 6.2.010013.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 6.2.010013.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000A.00000002.945772498.00000000008C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000002.946308556.0000000002F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000A.00000002.946308556.0000000002F00000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000007.00000000.735504885.0000000006BF7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000007.00000000.735504885.0000000006BF7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000006.00000002.772997632.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000006.00000002.772997632.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000007.00000000.752185973.0000000006BF7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000007.00000000.752185973.0000000006BF7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000006.00000002.773808293.0000000000E70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000006.00000002.773808293.0000000000E70000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 0000000A.00000002.946245801.0000000002BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 0000000A.00000002.946245801.0000000002BC0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000006.00000002.774956721.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000006.00000002.774956721.00000000011E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: 00000000.00000002.707936847.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
              Source: 00000000.00000002.707936847.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
              Source: C:\Users\user\Desktop\010013.exeCode function: 0_2_004C53D50_2_004C53D5
              Source: C:\Users\user\Desktop\010013.exeCode function: 0_2_004C56960_2_004C5696
              Source: C:\Users\user\Desktop\010013.exeCode function: 0_2_00C7E6B80_2_00C7E6B8
              Source: C:\Users\user\Desktop\010013.exeCode function: 0_2_00C7E6AB0_2_00C7E6AB
              Source: C:\Users\user\Desktop\010013.exeCode function: 0_2_00C7BD040_2_00C7BD04
              Source: C:\Users\user\Desktop\010013.exeCode function: 0_2_07725F400_2_07725F40
              Source: C:\Users\user\Desktop\010013.exeCode function: 0_2_07725F300_2_07725F30
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_004010306_2_00401030
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_0041D89F6_2_0041D89F
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_0041E1D06_2_0041E1D0
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_0041D48C6_2_0041D48C
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00402D886_2_00402D88
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00402D906_2_00402D90
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_0041D6416_2_0041D641
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00409E2B6_2_00409E2B
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00409E306_2_00409E30
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_0041DF786_2_0041DF78
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_0041E7016_2_0041E701
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00402FB06_2_00402FB0
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_004653D56_2_004653D5
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_004656966_2_00465696
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_0340EBB010_2_0340EBB0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_033F6E3010_2_033F6E30
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_033D0D2010_2_033D0D20
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_033F412010_2_033F4120
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034A1D5510_2_034A1D55
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_033DF90010_2_033DF900
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_033ED5E010_2_033ED5E0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_033E841F10_2_033E841F
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_0349100210_2_03491002
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_033EB09010_2_033EB090
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008DE1D010_2_008DE1D0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008C2D8810_2_008C2D88
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008C2D9010_2_008C2D90
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008C9E2B10_2_008C9E2B
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008DD63F10_2_008DD63F
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008C9E3010_2_008C9E30
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008C2FB010_2_008C2FB0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008DDF7810_2_008DDF78
              Source: C:\Windows\SysWOW64\netsh.exeCode function: String function: 033DB150 appears 32 times
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00419D50 NtCreateFile,6_2_00419D50
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00419E00 NtReadFile,6_2_00419E00
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00419E80 NtClose,6_2_00419E80
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00419F30 NtAllocateVirtualMemory,6_2_00419F30
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00419DA4 NtCreateFile,6_2_00419DA4
              Source: C:\Users\user\Desktop\010013.exeCode function: 6_2_00419E7A NtClose,6_2_00419E7A
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419710 NtQueryInformationToken,LdrInitializeThunk,10_2_03419710
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419FE0 NtCreateMutant,LdrInitializeThunk,10_2_03419FE0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419780 NtMapViewOfSection,LdrInitializeThunk,10_2_03419780
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419A50 NtCreateFile,LdrInitializeThunk,10_2_03419A50
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034196D0 NtCreateKey,LdrInitializeThunk,10_2_034196D0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034196E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_034196E0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419540 NtReadFile,LdrInitializeThunk,10_2_03419540
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_03419910
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034195D0 NtClose,LdrInitializeThunk,10_2_034195D0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034199A0 NtCreateSection,LdrInitializeThunk,10_2_034199A0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419840 NtDelayExecution,LdrInitializeThunk,10_2_03419840
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419860 NtQuerySystemInformation,LdrInitializeThunk,10_2_03419860
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419760 NtOpenProcess,10_2_03419760
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419770 NtSetInformationFile,10_2_03419770
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_0341A770 NtOpenThread,10_2_0341A770
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419B00 NtSetValueKey,10_2_03419B00
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_0341A710 NtOpenProcessToken,10_2_0341A710
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419730 NtQueryVirtualMemory,10_2_03419730
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034197A0 NtUnmapViewOfSection,10_2_034197A0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_0341A3B0 NtGetContextThread,10_2_0341A3B0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419650 NtQueryValueKey,10_2_03419650
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419660 NtAllocateVirtualMemory,10_2_03419660
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419670 NtQueryInformationProcess,10_2_03419670
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419A00 NtProtectVirtualMemory,10_2_03419A00
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419610 NtEnumerateValueKey,10_2_03419610
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419A10 NtQuerySection,10_2_03419A10
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419A20 NtResumeThread,10_2_03419A20
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419A80 NtOpenDirectoryObject,10_2_03419A80
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419950 NtQueueApcThread,10_2_03419950
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419560 NtWriteFile,10_2_03419560
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419520 NtWaitForSingleObject,10_2_03419520
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_0341AD30 NtSetContextThread,10_2_0341AD30
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034199D0 NtCreateProcessEx,10_2_034199D0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034195F0 NtQueryInformationFile,10_2_034195F0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_0341B040 NtSuspendThread,10_2_0341B040
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_03419820 NtEnumerateKey,10_2_03419820
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034198F0 NtReadVirtualMemory,10_2_034198F0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_034198A0 NtWriteVirtualMemory,10_2_034198A0
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008D9D50 NtCreateFile,10_2_008D9D50
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008D9E80 NtClose,10_2_008D9E80
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008D9E00 NtReadFile,10_2_008D9E00
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008D9DA4 NtCreateFile,10_2_008D9DA4
              Source: C:\Windows\SysWOW64\netsh.exeCode function: 10_2_008D9E7A NtClose,10_2_008D9E7A
              Source: 010013.exe, 00000000.00000002.706837713.0000000000CAA000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 010013.exe
              Source: 010013.exe, 00000000.00000002.717972795.00000000075E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs 010013.exe
              Source: 010013.exe, 00000000.00000000.678955548.0000000000556000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAnsiBSTRMarshal.exeD vs 010013.exe
              Source: 010013.exe, 00000006.00000002.774854435.000000000115F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 010013.exe
              Source: 010013.exe, 00000006.00000002.773379173.00000000004F6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameAnsiBSTRMarshal.exeD vs 010013.exe
              Source: 010013.exe, 00000006.00000002.775347454.0000000002D7C000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamenetsh.exej% vs 010013.exe
              Source: 010013.exeBinary or memory string: OriginalFilenameAnsiBSTRMarshal.exeD vs 010013.exe
              Source: 010013.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: ELqDlkdxF.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 010013.exeVirustotal: Detection: 39%
              Source: 010013.exeReversingLabs: Detection: 32%
              Source: C:\Users\user\Desktop\010013.exeFile read: C:\Users\user\Desktop\010013.exeJump to behavior
              Source: 010013.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\010013.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\010013.exe 'C:\Users\user\Desktop\010013.exe'
              Source: C:\Users\user\Desktop\010013.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ELqDlkdxF' /XML 'C:\Users\user\AppData\Local\Temp\tmp30F5.tmp'
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\010013.exeProcess created: C:\Users\user\Desktop\010013.exe C:\Users\user\Desktop\010013.exe
              Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\010013.exe'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\010013.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ELqDlkdxF' /XML 'C:\Users\user\AppData\Local\Temp\tmp30F5.tmp'Jump to behavior
              Source: C:\Users\user\Desktop\010013.exeProcess created: C:\Users\user\Desktop\010013.exe C:\Users\user\Desktop\010013.exeJump to behavior
              Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\010013.exe'Jump to behavior
              Source: C:\Users\user\Desktop\010013.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\010013.exeFile created: C:\Users\user\AppData\Roaming\ELqDlkdxF.exeJump to behavior
              Source: C:\Users\user\Desktop\010013.exeFile created: C:\Users\user\AppData\Local\Temp\tmp30F5.tmpJump to behavior
              Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@3/1
              Source: C:\Users\user\Desktop\010013.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\010013.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
              Source: C:\Users\user\Desktop\010013.exeMutant created: \Sessions\1\BaseNamedObjects\reblGreen Software DimWin Brightness
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6600:120:WilError_01
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\010013.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: 010013.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: 010013.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: netsh.pdb source: 010013.exe, 00000006.00000002.775295184.0000000002D60000.00000040.00020000.sdmp
              Source: Binary string: wntdll.pdbUGP source: 010013.exe, 00000006.00000002.774373075.0000000000FCF000.00000040.00000001.sdmp, netsh.exe, 0000000A.00000002.947117208.00000000034CF000.00000040.00000001.sdmp
              Source: Binary string: netsh.pdbGCTL source: 010013.exe, 00000006.00000002.775295184.0000000002D60000.00000040.00020000.sdmp
              Source: Binary string: wntdll.pdb source: 010013.exe, 00000006.00000002.774373075.0000000000FCF000.00000040.00000001.sdmp, netsh.exe

              Data Obfuscation:

              barindex
              .NET source code contains potential unpackerShow sources
              Source: 010013.exe, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: ELqDlkdxF.exe.0.dr, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
              Source: 0.2.010013.exe.4c0000.0.unpack, Brightness.cs.Net Code: ExceptionFromErrorCode System.Reflection.Assembly System.AppDomain::Load(System.Byte[])