Loading ...

Play interactive tourEdit tour

Windows Analysis Report 52h0KETBXt.exe

Overview

General Information

Sample Name:52h0KETBXt.exe
Analysis ID:552749
MD5:c0fed64dae580efb8fb8308accf76cac
SHA1:d7de3d945c5e62ee8f7b77a508b8b0682cae713d
SHA256:5bd07db2eed6c7e67e3f3947b5336c6ba986cfbd03bd406c13eda1999a64fc70
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 52h0KETBXt.exe (PID: 1360 cmdline: "C:\Users\user\Desktop\52h0KETBXt.exe" MD5: C0FED64DAE580EFB8FB8308ACCF76CAC)
    • 52h0KETBXt.exe (PID: 984 cmdline: C:\Users\user\Desktop\52h0KETBXt.exe MD5: C0FED64DAE580EFB8FB8308ACCF76CAC)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 5652 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • autoconv.exe (PID: 5656 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • systray.exe (PID: 5644 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 5468 cmdline: /c del "C:\Users\user\Desktop\52h0KETBXt.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 5104 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hstolchsjybyl.com/a83r/"], "decoy": ["comercializadoralonso.com", "durhamschoolservces.com", "onegreencapital.com", "smartcities24.com", "maquinas.store", "brianlovesbonsai.com", "xin41518s.com", "moneyearnus.xyz", "be-mix.com", "fengyat.club", "inspectdecided.xyz", "paksafpakistan.com", "orhidlnt.top", "princesuraj.com", "vietnamvodka.com", "renewnow.site", "imageservices.xyz", "luxurytravelfranchise.com", "kp112.red", "royalyorkfirewood.com", "azharrizvi.com", "mtvamazon.com", "stlouisplatinumhomes.com", "ke6rkmtn.xyz", "roomviser.xyz", "rollcalloutfitters.com", "jlautoparts.net", "swipyy.xyz", "handymansaltlakecity.com", "tuespr.com", "prelink.xyz", "whrpky037.xyz", "yoga-4-health.com", "silvermoonandcompany.com", "meg-roh.com", "81218121.com", "prayerteamusa.com", "ocejxu.com", "lopeyhomeimporvementservice.com", "dcosearchandconnect.xyz", "md-newspages.online", "elinmex.online", "traineriq.com", "feministecologies.com", "gyltogether.com", "polyversed.com", "rodolforios.com", "bcfs0l.com", "51dmm.com", "metaverselivecasinos.com", "csjsgk.com", "impactincentivesregistry.com", "firekim.space", "jdzn.xyz", "d6ybf7yj.xyz", "sturt.xyz", "serious-cam.com", "stihl-gms.com", "gentleman5.xyz", "rustbeltcoders.net", "hmarketsed96.com", "cricfreelive.com", "wellyounow.com", "fwdrow.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18859:$sqlite3step: 68 34 1C 7B E1
    • 0x1896c:$sqlite3step: 68 34 1C 7B E1
    • 0x18888:$sqlite3text: 68 38 2A 90 C5
    • 0x189ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1889b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.52h0KETBXt.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.52h0KETBXt.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.52h0KETBXt.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a59:$sqlite3step: 68 34 1C 7B E1
        • 0x17b6c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a88:$sqlite3text: 68 38 2A 90 C5
        • 0x17bad:$sqlite3text: 68 38 2A 90 C5
        • 0x17a9b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bc3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.52h0KETBXt.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.52h0KETBXt.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hstolchsjybyl.com/a83r/"], "decoy": ["comercializadoralonso.com", "durhamschoolservces.com", "onegreencapital.com", "smartcities24.com", "maquinas.store", "brianlovesbonsai.com", "xin41518s.com", "moneyearnus.xyz", "be-mix.com", "fengyat.club", "inspectdecided.xyz", "paksafpakistan.com", "orhidlnt.top", "princesuraj.com", "vietnamvodka.com", "renewnow.site", "imageservices.xyz", "luxurytravelfranchise.com", "kp112.red", "royalyorkfirewood.com", "azharrizvi.com", "mtvamazon.com", "stlouisplatinumhomes.com", "ke6rkmtn.xyz", "roomviser.xyz", "rollcalloutfitters.com", "jlautoparts.net", "swipyy.xyz", "handymansaltlakecity.com", "tuespr.com", "prelink.xyz", "whrpky037.xyz", "yoga-4-health.com", "silvermoonandcompany.com", "meg-roh.com", "81218121.com", "prayerteamusa.com", "ocejxu.com", "lopeyhomeimporvementservice.com", "dcosearchandconnect.xyz", "md-newspages.online", "elinmex.online", "traineriq.com", "feministecologies.com", "gyltogether.com", "polyversed.com", "rodolforios.com", "bcfs0l.com", "51dmm.com", "metaverselivecasinos.com", "csjsgk.com", "impactincentivesregistry.com", "firekim.space", "jdzn.xyz", "d6ybf7yj.xyz", "sturt.xyz", "serious-cam.com", "stihl-gms.com", "gentleman5.xyz", "rustbeltcoders.net", "hmarketsed96.com", "cricfreelive.com", "wellyounow.com", "fwdrow.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 52h0KETBXt.exeVirustotal: Detection: 33%Perma Link
          Source: 52h0KETBXt.exeReversingLabs: Detection: 39%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.hstolchsjybyl.com/a83r/Virustotal: Detection: 5%Perma Link
          Machine Learning detection for sampleShow sources
          Source: 52h0KETBXt.exeJoe Sandbox ML: detected
          Source: 2.2.52h0KETBXt.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.52h0KETBXt.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.52h0KETBXt.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.52h0KETBXt.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 52h0KETBXt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 52h0KETBXt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: 52h0KETBXt.exe, 00000002.00000002.741057292.0000000000A10000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: 52h0KETBXt.exe, 00000002.00000002.741057292.0000000000A10000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 52h0KETBXt.exe, 00000002.00000002.741255425.0000000000EA0000.00000040.00000001.sdmp, 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934124002.0000000004760000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934415770.000000000487F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 52h0KETBXt.exe, 00000002.00000002.741255425.0000000000EA0000.00000040.00000001.sdmp, 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000007.00000002.934124002.0000000004760000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934415770.000000000487F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 4x nop then pop esi2_2_004172FD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi7_2_029572FD

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.hstolchsjybyl.com/a83r/
          Source: explorer.exe, 00000011.00000000.834267617.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: 52h0KETBXt.exe, 00000001.00000003.659840508.0000000005845000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.659900419.0000000005845000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.659871289.0000000005846000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 52h0KETBXt.exe, 00000001.00000003.661359025.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.664631137.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.662971751.0000000005845000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 52h0KETBXt.exe, 00000001.00000003.661509000.0000000005846000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 52h0KETBXt.exe, 00000001.00000003.661509000.0000000005846000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.?
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 52h0KETBXt.exe, 00000001.00000003.665154267.000000000587D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 52h0KETBXt.exe, 00000001.00000003.666226019.000000000587D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP&
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 52h0KETBXt.exe, 00000001.00000002.681883527.0000000000E47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: 52h0KETBXt.exe, 00000001.00000002.681883527.0000000000E47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiona
          Source: 52h0KETBXt.exe, 00000001.00000002.681883527.0000000000E47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coml1
          Source: 52h0KETBXt.exe, 00000001.00000002.681883527.0000000000E47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 52h0KETBXt.exe, 00000001.00000003.661359025.0000000005847000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 52h0KETBXt.exe, 00000001.00000003.661509000.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661311624.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661448122.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661191274.0000000005844000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661260196.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661386367.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661212364.0000000005844000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661359025.0000000005847000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnK
          Source: 52h0KETBXt.exe, 00000001.00000003.661509000.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661311624.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661448122.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661191274.0000000005844000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661260196.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661386367.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661212364.0000000005844000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661359025.0000000005847000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni
          Source: 52h0KETBXt.exe, 00000001.00000003.668720087.0000000005875000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.668794708.0000000005875000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/1
          Source: 52h0KETBXt.exe, 00000001.00000003.668720087.0000000005875000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.668794708.0000000005875000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/;
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 52h0KETBXt.exe, 00000001.00000003.661448122.0000000005846000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: 52h0KETBXt.exe, 00000001.00000002.681699547.0000000000C9A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 52h0KETBXt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_00C6E6B01_2_00C6E6B0
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_00C6C2841_2_00C6C284
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_00C6E6AC1_2_00C6E6AC
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041E8762_2_0041E876
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041E47F2_2_0041E47F
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041DDBE2_2_0041DDBE
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00409E5B2_2_00409E5B
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00409E602_2_00409E60
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041E6222_2_0041E622
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0479841F7_2_0479841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0484D4667_2_0484D466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04780D207_2_04780D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048525DD7_2_048525DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04852D077_2_04852D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0479D5E07_2_0479D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04851D557_2_04851D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047B25817_2_047B2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047A6E307_2_047A6E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04852EF77_2_04852EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0484D6167_2_0484D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0485DFCE7_2_0485DFCE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04851FF17_2_04851FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048520A87_2_048520A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048528EC7_2_048528EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048410027_2_04841002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0485E8247_2_0485E824
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047B20A07_2_047B20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0479B0907_2_0479B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047A41207_2_047A4120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0478F9007_2_0478F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048522AE7_2_048522AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0484DBD27_2_0484DBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048403DA7_2_048403DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04852B287_2_04852B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047BEBB07_2_047BEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295E8767_2_0295E876
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295E6227_2_0295E622
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_02949E5B7_2_02949E5B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_02949E607_2_02949E60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_02942FB07_2_02942FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295E47F7_2_0295E47F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_02942D907_2_02942D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295DDB97_2_0295DDB9
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0478B150 appears 39 times
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A370 NtCreateFile,2_2_0041A370
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A420 NtReadFile,2_2_0041A420
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A4A0 NtClose,2_2_0041A4A0
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A550 NtAllocateVirtualMemory,2_2_0041A550
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A41A NtReadFile,2_2_0041A41A
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9540 NtReadFile,LdrInitializeThunk,7_2_047C9540
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C95D0 NtClose,LdrInitializeThunk,7_2_047C95D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9660 NtAllocateVirtualMemory,LdrInitializeThunk,7_2_047C9660
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9650 NtQueryValueKey,LdrInitializeThunk,7_2_047C9650
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C96E0 NtFreeVirtualMemory,LdrInitializeThunk,7_2_047C96E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C96D0 NtCreateKey,LdrInitializeThunk,7_2_047C96D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9710 NtQueryInformationToken,LdrInitializeThunk,7_2_047C9710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9FE0 NtCreateMutant,LdrInitializeThunk,7_2_047C9FE0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9780 NtMapViewOfSection,LdrInitializeThunk,7_2_047C9780
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9860 NtQuerySystemInformation,LdrInitializeThunk,7_2_047C9860
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9840 NtDelayExecution,LdrInitializeThunk,7_2_047C9840
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,7_2_047C9910
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C99A0 NtCreateSection,LdrInitializeThunk,7_2_047C99A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A50 NtCreateFile,LdrInitializeThunk,7_2_047C9A50
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9560 NtWriteFile,7_2_047C9560
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CAD30 NtSetContextThread,7_2_047CAD30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9520 NtWaitForSingleObject,7_2_047C9520
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C95F0 NtQueryInformationFile,7_2_047C95F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9670 NtQueryInformationProcess,7_2_047C9670
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9610 NtEnumerateValueKey,7_2_047C9610
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CA770 NtOpenThread,7_2_047CA770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9770 NtSetInformationFile,7_2_047C9770
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9760 NtOpenProcess,7_2_047C9760
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9730 NtQueryVirtualMemory,7_2_047C9730
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CA710 NtOpenProcessToken,7_2_047CA710
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C97A0 NtUnmapViewOfSection,7_2_047C97A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CB040 NtSuspendThread,7_2_047CB040
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9820 NtEnumerateKey,7_2_047C9820
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C98F0 NtReadVirtualMemory,7_2_047C98F0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C98A0 NtWriteVirtualMemory,7_2_047C98A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9950 NtQueueApcThread,7_2_047C9950
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C99D0 NtCreateProcessEx,7_2_047C99D0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A20 NtResumeThread,7_2_047C9A20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A10 NtQuerySection,7_2_047C9A10
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A00 NtProtectVirtualMemory,7_2_047C9A00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A80 NtOpenDirectoryObject,7_2_047C9A80
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9B00 NtSetValueKey,7_2_047C9B00
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CA3B0 NtGetContextThread,7_2_047CA3B0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A370 NtCreateFile,7_2_0295A370
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A4A0 NtClose,7_2_0295A4A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A420 NtReadFile,7_2_0295A420
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A550 NtAllocateVirtualMemory,7_2_0295A550
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A41A NtReadFile,7_2_0295A41A
          Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 98%
          Source: 52h0KETBXt.exe, 00000001.00000002.681699547.0000000000C9A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000001.00000002.685826170.0000000008CA0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000001.00000000.656176943.0000000000546000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymLanguageVend.exe: vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000002.00000000.678692482.00000000004A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymLanguageVend.exe: vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000002.00000002.742451762.000000000114F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000002.00000002.741068625.0000000000A13000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exeBinary or memory string: OriginalFilenameSymLanguageVend.exe: vs 52h0KETBXt.exe
          Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dllJump to behavior
          Source: 52h0KETBXt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 52h0KETBXt.exeVirustotal: Detection: 33%
          Source: 52h0KETBXt.exeReversingLabs: Detection: 39%
          Source: 52h0KETBXt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\52h0KETBXt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\52h0KETBXt.exe "C:\Users\user\Desktop\52h0KETBXt.exe"
          Source: C:\Users\user\Desktop\52h0KETBXt.exeProcess created: C:\Users\user\Desktop\52h0KETBXt.exe C:\Users\user\Desktop\52h0KETBXt.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\52h0KETBXt.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\52h0KETBXt.exeProcess created: C:\Users\user\Desktop\52h0KETBXt.exe C:\Users\user\Desktop\52h0KETBXt.exeJump to behavior
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\52h0KETBXt.exe"Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32Jump to behavior
          Source: C:\Users\user\Desktop\52h0KETBXt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\52h0KETBXt.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@0/1
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\52h0KETBXt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\52h0KETBXt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: 52h0KETBXt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 52h0KETBXt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: 52h0KETBXt.exe, 00000002.00000002.741057292.0000000000A10000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: 52h0KETBXt.exe, 00000002.00000002.741057292.0000000000A10000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 52h0KETBXt.exe, 00000002.00000002.741255425.0000000000EA0000.00000040.00000001.sdmp, 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934124002.0000000004760000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934415770.000000000487F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 52h0KETBXt.exe, 00000002.00000002.741255425.0000000000EA0000.00000040.00000001.sdmp, 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000007.00000002.934124002.0000000004760000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934415770.000000000487F000.00000040.00000001.sdmp

          Data Obfuscation: