Loading ...

Play interactive tourEdit tour

Windows Analysis Report S9yf6BkjhTQUbHE.exe

Overview

General Information

Sample Name:S9yf6BkjhTQUbHE.exe
Analysis ID:528622
MD5:812861ad5cbb91bfa01a6a15c2cef128
SHA1:ca092e52319047d609cb6fcca1821a8f873416df
SHA256:a649d216b55b0f0597a16690b8469b6b44b9cdc73560d8237387b2df225ab20b
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
System process connects to network (likely due to code injection or exploit)
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Performs DNS queries to domains with low reputation
Self deletion via cmd delete
.NET source code contains potential unpacker
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • S9yf6BkjhTQUbHE.exe (PID: 6344 cmdline: "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe" MD5: 812861AD5CBB91BFA01A6A15C2CEF128)
    • S9yf6BkjhTQUbHE.exe (PID: 6408 cmdline: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe MD5: 812861AD5CBB91BFA01A6A15C2CEF128)
      • explorer.exe (PID: 3472 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autoconv.exe (PID: 6488 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • msdt.exe (PID: 6472 cmdline: C:\Windows\SysWOW64\msdt.exe MD5: 7F0C51DBA69B9DE5DDF6AA04CE3A69F4)
          • cmd.exe (PID: 6572 cmdline: /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.peptidepowder.com/czh8/"], "decoy": ["ekkyo-business.com", "anamentor.com", "criptodigital.online", "smart-device.tech", "piano-tomimoto.com", "sergiojuradomunera.com", "xn----pl8a630b0whm6t.com", "exploitslozdz.xyz", "peregorodki.store", "authenticationtd.net", "ichelbrousset.com", "amboyshops.com", "hengtaigyl.com", "iliubo.com", "overtimersanonymous.com", "crimsonrangellc.com", "otterburnelanding.com", "ping-ken.info", "belezaweb.digital", "elementkultury.com", "heireply.xyz", "membranbakar.xyz", "babygirlletsheal.com", "alpe.paris", "fuslonnd.com", "massaora.com", "geatarotista.com", "namethatsetup.com", "igdxir.com", "tokatyapimarket.com", "soundnox.com", "ase3baeb4p.com", "uniteddatavault.com", "savageequipment.biz", "cutos2.com", "thietketrangtrinhacua.store", "mways-vintage.com", "cloudscapephotos.com", "padelscuolaroma.store", "medeiros.store", "green-umbrella.academy", "kobaran.com", "ilmkibahar.com", "blueworldaquariums.com", "bigjohnblues.com", "e2adriasec.online", "pufaawareskincare.com", "sumerchemicals.com", "epubgame.net", "nuditecouverte.com", "tbpadvogados.website", "cryptoentering.com", "dahliahearing.com", "annellata.xyz", "barberking.online", "cpw882.com", "dock-weiler.com", "dianyuwang.com", "fitpromax.xyz", "deckingtoronto.com", "boundlessentgroup.com", "metricwombat.com", "emergencyhomerepairnetwork.com", "fullerhomeloans.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
    • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
    • 0x16b18:$sqlite3text: 68 38 2A 90 C5
    • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
    • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
    00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 34 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19bb7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x16ae9:$sqlite3step: 68 34 1C 7B E1
        • 0x16bfc:$sqlite3step: 68 34 1C 7B E1
        • 0x16b18:$sqlite3text: 68 38 2A 90 C5
        • 0x16c3d:$sqlite3text: 68 38 2A 90 C5
        • 0x16b2b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x16c53:$sqlite3blob: 68 53 D8 7F 8C
        1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18db7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e5a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Possible Applocker BypassShow sources
          Source: Process startedAuthor: juju4: Data: Command: C:\Windows\SysWOW64\msdt.exe, CommandLine: C:\Windows\SysWOW64\msdt.exe, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\msdt.exe, NewProcessName: C:\Windows\SysWOW64\msdt.exe, OriginalFileName: C:\Windows\SysWOW64\msdt.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 3472, ProcessCommandLine: C:\Windows\SysWOW64\msdt.exe, ProcessId: 6472

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.peptidepowder.com/czh8/"], "decoy": ["ekkyo-business.com", "anamentor.com", "criptodigital.online", "smart-device.tech", "piano-tomimoto.com", "sergiojuradomunera.com", "xn----pl8a630b0whm6t.com", "exploitslozdz.xyz", "peregorodki.store", "authenticationtd.net", "ichelbrousset.com", "amboyshops.com", "hengtaigyl.com", "iliubo.com", "overtimersanonymous.com", "crimsonrangellc.com", "otterburnelanding.com", "ping-ken.info", "belezaweb.digital", "elementkultury.com", "heireply.xyz", "membranbakar.xyz", "babygirlletsheal.com", "alpe.paris", "fuslonnd.com", "massaora.com", "geatarotista.com", "namethatsetup.com", "igdxir.com", "tokatyapimarket.com", "soundnox.com", "ase3baeb4p.com", "uniteddatavault.com", "savageequipment.biz", "cutos2.com", "thietketrangtrinhacua.store", "mways-vintage.com", "cloudscapephotos.com", "padelscuolaroma.store", "medeiros.store", "green-umbrella.academy", "kobaran.com", "ilmkibahar.com", "blueworldaquariums.com", "bigjohnblues.com", "e2adriasec.online", "pufaawareskincare.com", "sumerchemicals.com", "epubgame.net", "nuditecouverte.com", "tbpadvogados.website", "cryptoentering.com", "dahliahearing.com", "annellata.xyz", "barberking.online", "cpw882.com", "dock-weiler.com", "dianyuwang.com", "fitpromax.xyz", "deckingtoronto.com", "boundlessentgroup.com", "metricwombat.com", "emergencyhomerepairnetwork.com", "fullerhomeloans.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: S9yf6BkjhTQUbHE.exeReversingLabs: Detection: 22%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: msdt.pdbGCTL source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: S9yf6BkjhTQUbHE.exe, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000001.00000002.315139597.0000000001090000.00000040.00000001.sdmp, msdt.exe, msdt.exe, 00000012.00000002.520823591.0000000004D9F000.00000040.00000001.sdmp, msdt.exe, 00000012.00000002.520500167.0000000004C80000.00000040.00000001.sdmp
          Source: Binary string: msdt.pdb source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmp
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 4x nop then pop edi
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49827 -> 34.117.168.233:80
          Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
          Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
          Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.5:49837 -> 198.54.117.218:80
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\explorer.exeDomain query: www.xn----pl8a630b0whm6t.com
          Source: C:\Windows\explorer.exeDomain query: www.epubgame.net
          Source: C:\Windows\explorer.exeNetwork Connect: 23.106.123.249 80
          Source: C:\Windows\explorer.exeNetwork Connect: 172.67.178.31 80
          Source: C:\Windows\explorer.exeDomain query: www.anamentor.com
          Source: C:\Windows\explorer.exeDomain query: www.fuslonnd.com
          Source: C:\Windows\explorer.exeDomain query: www.annellata.xyz
          Source: C:\Windows\explorer.exeDomain query: www.metricwombat.com
          Performs DNS queries to domains with low reputationShow sources
          Source: C:\Windows\explorer.exeDNS query: www.annellata.xyz
          Source: DNS query: www.exploitslozdz.xyz
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.peptidepowder.com/czh8/
          Source: Joe Sandbox ViewASN Name: LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG
          Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
          Source: global trafficHTTP traffic detected: GET /czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L HTTP/1.1Host: www.anamentor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 23.106.123.249 23.106.123.249
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmp, S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: msdt.exe, 00000012.00000002.519445044.000000000315F000.00000004.00000020.sdmpString found in binary or memory: http://www.xn----pl8a630b0whm6t.com/czh8/?7n=WfBFmY7eHt5QBShHhdd2jwwFQU0Qfs4ciJop7u3ZFFtbwI7iz04mk8i
          Source: msdt.exe, 00000012.00000002.521258705.0000000005332000.00000004.00020000.sdmpString found in binary or memory: https://www.anamentor.com/czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG
          Source: unknownDNS traffic detected: queries for: www.epubgame.net
          Source: global trafficHTTP traffic detected: GET /czh8/?7n=IRLjoLIXlWieDd548KoJS/rowvlX7n5q7mSRLwbc7H8jLvnjYG+pwFiMTHdBlEYfNNBf&t4b=Zn-L HTTP/1.1Host: www.anamentor.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.253365121.00000000011E9000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.2.S9yf6BkjhTQUbHE.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 1.0.S9yf6BkjhTQUbHE.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.314660733.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.250860288.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.514724044.00000000008D0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.518773545.0000000002FA0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.288279316.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.314889663.0000000000A20000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000000.305725796.000000000EC4A000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.256688867.00000000041A8000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000000.251285298.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.314919624.0000000000A50000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.518592905.0000000002E90000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_05525AB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 0_2_05525AA0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00401030
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041BA22
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041C42D
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00408C8D
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00408C90
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00402D87
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00402D90
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00402FB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041CFB4
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010BF900
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01182D07
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010B0D20
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D4120
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01181D55
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E2581
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011825DD
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CD5E0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010C841F
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01171002
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117D466
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010CB090
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010E20A0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011820A8
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011828EC
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01182B28
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010EEBB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0117DBD2
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01181FF1
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010D6E30
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_011822AE
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_01182EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6D466
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CB841F
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D725DD
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBD5E0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD2581
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D71D55
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D72D07
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CA0D20
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D72EF7
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6D616
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC6E30
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7DFCE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D71FF1
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D728EC
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CBB090
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CD20A0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D720A8
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D61002
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D7E824
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCA830
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CAF900
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CC4120
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D722AE
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D5FA2B
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D6DBD2
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D603DA
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CDEBB0
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CCAB40
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04D72B28
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EBA22
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D8C8D
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D8C90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008EC41E
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D2D87
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D2D90
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008ECFB4
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008D2FB0
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: String function: 010BB150 appears 35 times
          Source: C:\Windows\SysWOW64\msdt.exeCode function: String function: 04CAB150 appears 54 times
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004185F0 NtCreateFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004186A0 NtReadFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_00418720 NtClose,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004187D0 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_0041869A NtReadFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_004187CA NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F95D0 NtClose,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F98F0 NtReadVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F97A0 NtUnmapViewOfSection,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A00 NtProtectVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A20 NtResumeThread,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9520 NtWaitForSingleObject,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FAD30 NtSetContextThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9950 NtQueueApcThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9560 NtWriteFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F99D0 NtCreateProcessEx,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F95F0 NtQueryInformationFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9820 NtEnumerateKey,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FB040 NtSuspendThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F98A0 NtWriteVirtualMemory,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9B00 NtSetValueKey,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FA710 NtOpenProcessToken,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9730 NtQueryVirtualMemory,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9760 NtOpenProcess,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9770 NtSetInformationFile,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FA770 NtOpenThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010FA3B0 NtGetContextThread,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9610 NtEnumerateValueKey,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A10 NtQuerySection,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9650 NtQueryValueKey,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9670 NtQueryInformationProcess,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F9A80 NtOpenDirectoryObject,
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeCode function: 1_2_010F96D0 NtCreateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CEA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_04CE9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E85F0 NtCreateFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E86A0 NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E87D0 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E8720 NtClose,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E869A NtReadFile,
          Source: C:\Windows\SysWOW64\msdt.exeCode function: 18_2_008E87CA NtAllocateVirtualMemory,
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.253365121.00000000011E9000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.257531563.00000000061E0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254885571.0000000003F8D000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dll@ vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.257392561.0000000005CB0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000000.241151855.0000000000AF0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInAttribu.exe. vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254291450.000000000304A000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000000.00000002.254094379.0000000002F81000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameInnerException.dll" vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316216528.00000000013C0000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamemsdt.exej% vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.315540875.00000000011AF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000001.00000000.248672814.00000000004C0000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameInAttribu.exe. vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exe, 00000001.00000002.316078938.000000000133F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exeBinary or memory string: OriginalFilenameInAttribu.exe. vs S9yf6BkjhTQUbHE.exe
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: S9yf6BkjhTQUbHE.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeFile read: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe:Zone.IdentifierJump to behavior
          Source: S9yf6BkjhTQUbHE.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\msdt.exe C:\Windows\SysWOW64\msdt.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeProcess created: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe
          Source: C:\Windows\SysWOW64\msdt.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exe"
          Source: C:\Windows\SysWOW64\msdt.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\S9yf6BkjhTQUbHE.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@8/1@13/2
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_01
          Source: C:\Users\user\Desktop\S9yf6BkjhTQUbHE.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: /InAttribu;component/views/addbook.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: views/addbook.baml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: views/addcustomer.baml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: /InAttribu;component/views/addcustomer.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: /InAttribu;component/views/addbook.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: views/addcustomer.baml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: views/addbook.baml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: /InAttribu;component/views/addcustomer.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: O/InAttribu;component/views/addbook.xamle/InAttribu;component/views/borrowfrombookview.xaml[/InAttribu;component/views/borrowingview.xamlU/InAttribu;component/views/changebook.xaml]/InAttribu;component/views/changecustomer.xamlY/InAttribu;component/views/customerview.xaml]/InAttribu;component/views/deletecustomer.xamlS/InAttribu;component/views/errorview.xamlW/InAttribu;component/views/smallextras.xamlW/InAttribu;component/views/addcustomer.xaml
          Source: S9yf6BkjhTQUbHE.exeString found in binary or memory: *images/booksimage.jpg$views/addbook.baml1J,views/addcustomer.baml