Loading ...

Play interactive tourEdit tour

Windows Analysis Report 52h0KETBXt.exe

Overview

General Information

Sample Name:52h0KETBXt.exe
Analysis ID:552749
MD5:c0fed64dae580efb8fb8308accf76cac
SHA1:d7de3d945c5e62ee8f7b77a508b8b0682cae713d
SHA256:5bd07db2eed6c7e67e3f3947b5336c6ba986cfbd03bd406c13eda1999a64fc70
Tags:exeFormbook
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Yara detected AntiVM3
Multi AV Scanner detection for domain / URL
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Self deletion via cmd delete
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
.NET source code contains method to dynamically call methods (often used by packers)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Contains functionality to read the PEB
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

  • System is w10x64
  • 52h0KETBXt.exe (PID: 1360 cmdline: "C:\Users\user\Desktop\52h0KETBXt.exe" MD5: C0FED64DAE580EFB8FB8308ACCF76CAC)
    • 52h0KETBXt.exe (PID: 984 cmdline: C:\Users\user\Desktop\52h0KETBXt.exe MD5: C0FED64DAE580EFB8FB8308ACCF76CAC)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • autofmt.exe (PID: 5652 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • autoconv.exe (PID: 5656 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)
        • systray.exe (PID: 5644 cmdline: C:\Windows\SysWOW64\systray.exe MD5: 1373D481BE4C8A6E5F5030D2FB0A0C68)
          • cmd.exe (PID: 5468 cmdline: /c del "C:\Users\user\Desktop\52h0KETBXt.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • explorer.exe (PID: 5104 cmdline: "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS MD5: AD5296B280E8F522A8A897C96BAB0E1D)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.hstolchsjybyl.com/a83r/"], "decoy": ["comercializadoralonso.com", "durhamschoolservces.com", "onegreencapital.com", "smartcities24.com", "maquinas.store", "brianlovesbonsai.com", "xin41518s.com", "moneyearnus.xyz", "be-mix.com", "fengyat.club", "inspectdecided.xyz", "paksafpakistan.com", "orhidlnt.top", "princesuraj.com", "vietnamvodka.com", "renewnow.site", "imageservices.xyz", "luxurytravelfranchise.com", "kp112.red", "royalyorkfirewood.com", "azharrizvi.com", "mtvamazon.com", "stlouisplatinumhomes.com", "ke6rkmtn.xyz", "roomviser.xyz", "rollcalloutfitters.com", "jlautoparts.net", "swipyy.xyz", "handymansaltlakecity.com", "tuespr.com", "prelink.xyz", "whrpky037.xyz", "yoga-4-health.com", "silvermoonandcompany.com", "meg-roh.com", "81218121.com", "prayerteamusa.com", "ocejxu.com", "lopeyhomeimporvementservice.com", "dcosearchandconnect.xyz", "md-newspages.online", "elinmex.online", "traineriq.com", "feministecologies.com", "gyltogether.com", "polyversed.com", "rodolforios.com", "bcfs0l.com", "51dmm.com", "metaverselivecasinos.com", "csjsgk.com", "impactincentivesregistry.com", "firekim.space", "jdzn.xyz", "d6ybf7yj.xyz", "sturt.xyz", "serious-cam.com", "stihl-gms.com", "gentleman5.xyz", "rustbeltcoders.net", "hmarketsed96.com", "cricfreelive.com", "wellyounow.com", "fwdrow.com"]}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18859:$sqlite3step: 68 34 1C 7B E1
    • 0x1896c:$sqlite3step: 68 34 1C 7B E1
    • 0x18888:$sqlite3text: 68 38 2A 90 C5
    • 0x189ad:$sqlite3text: 68 38 2A 90 C5
    • 0x1889b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189c3:$sqlite3blob: 68 53 D8 7F 8C
    00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b937:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c93a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 31 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.0.52h0KETBXt.exe.400000.8.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.0.52h0KETBXt.exe.400000.8.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.0.52h0KETBXt.exe.400000.8.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17a59:$sqlite3step: 68 34 1C 7B E1
        • 0x17b6c:$sqlite3step: 68 34 1C 7B E1
        • 0x17a88:$sqlite3text: 68 38 2A 90 C5
        • 0x17bad:$sqlite3text: 68 38 2A 90 C5
        • 0x17a9b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17bc3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.52h0KETBXt.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.52h0KETBXt.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab37:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 18 entries

          Sigma Overview

          No Sigma rule has matched

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Found malware configurationShow sources
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.hstolchsjybyl.com/a83r/"], "decoy": ["comercializadoralonso.com", "durhamschoolservces.com", "onegreencapital.com", "smartcities24.com", "maquinas.store", "brianlovesbonsai.com", "xin41518s.com", "moneyearnus.xyz", "be-mix.com", "fengyat.club", "inspectdecided.xyz", "paksafpakistan.com", "orhidlnt.top", "princesuraj.com", "vietnamvodka.com", "renewnow.site", "imageservices.xyz", "luxurytravelfranchise.com", "kp112.red", "royalyorkfirewood.com", "azharrizvi.com", "mtvamazon.com", "stlouisplatinumhomes.com", "ke6rkmtn.xyz", "roomviser.xyz", "rollcalloutfitters.com", "jlautoparts.net", "swipyy.xyz", "handymansaltlakecity.com", "tuespr.com", "prelink.xyz", "whrpky037.xyz", "yoga-4-health.com", "silvermoonandcompany.com", "meg-roh.com", "81218121.com", "prayerteamusa.com", "ocejxu.com", "lopeyhomeimporvementservice.com", "dcosearchandconnect.xyz", "md-newspages.online", "elinmex.online", "traineriq.com", "feministecologies.com", "gyltogether.com", "polyversed.com", "rodolforios.com", "bcfs0l.com", "51dmm.com", "metaverselivecasinos.com", "csjsgk.com", "impactincentivesregistry.com", "firekim.space", "jdzn.xyz", "d6ybf7yj.xyz", "sturt.xyz", "serious-cam.com", "stihl-gms.com", "gentleman5.xyz", "rustbeltcoders.net", "hmarketsed96.com", "cricfreelive.com", "wellyounow.com", "fwdrow.com"]}
          Multi AV Scanner detection for submitted fileShow sources
          Source: 52h0KETBXt.exeVirustotal: Detection: 33%Perma Link
          Source: 52h0KETBXt.exeReversingLabs: Detection: 39%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORY
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.hstolchsjybyl.com/a83r/Virustotal: Detection: 5%Perma Link
          Machine Learning detection for sampleShow sources
          Source: 52h0KETBXt.exeJoe Sandbox ML: detected
          Source: 2.2.52h0KETBXt.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.52h0KETBXt.exe.400000.8.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.52h0KETBXt.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.0.52h0KETBXt.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 52h0KETBXt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 52h0KETBXt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: 52h0KETBXt.exe, 00000002.00000002.741057292.0000000000A10000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: 52h0KETBXt.exe, 00000002.00000002.741057292.0000000000A10000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 52h0KETBXt.exe, 00000002.00000002.741255425.0000000000EA0000.00000040.00000001.sdmp, 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934124002.0000000004760000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934415770.000000000487F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 52h0KETBXt.exe, 00000002.00000002.741255425.0000000000EA0000.00000040.00000001.sdmp, 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000007.00000002.934124002.0000000004760000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934415770.000000000487F000.00000040.00000001.sdmp
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 4x nop then pop esi
          Source: C:\Windows\SysWOW64\systray.exeCode function: 4x nop then pop esi

          Networking:

          barindex
          C2 URLs / IPs found in malware configurationShow sources
          Source: Malware configuration extractorURLs: www.hstolchsjybyl.com/a83r/
          Source: explorer.exe, 00000011.00000000.834267617.00000000008F7000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: 52h0KETBXt.exe, 00000001.00000003.659840508.0000000005845000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.659900419.0000000005845000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.659871289.0000000005846000.00000004.00000001.sdmpString found in binary or memory: http://en.w
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: 52h0KETBXt.exe, 00000001.00000003.661359025.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.664631137.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.662971751.0000000005845000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: 52h0KETBXt.exe, 00000001.00000003.661509000.0000000005846000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: 52h0KETBXt.exe, 00000001.00000003.661509000.0000000005846000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.como.?
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: 52h0KETBXt.exe, 00000001.00000003.665154267.000000000587D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: 52h0KETBXt.exe, 00000001.00000003.666226019.000000000587D000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlP&
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: 52h0KETBXt.exe, 00000001.00000002.681883527.0000000000E47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coma
          Source: 52h0KETBXt.exe, 00000001.00000002.681883527.0000000000E47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comiona
          Source: 52h0KETBXt.exe, 00000001.00000002.681883527.0000000000E47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.coml1
          Source: 52h0KETBXt.exe, 00000001.00000002.681883527.0000000000E47000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comm
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: 52h0KETBXt.exe, 00000001.00000003.661359025.0000000005847000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: 52h0KETBXt.exe, 00000001.00000003.661509000.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661311624.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661448122.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661191274.0000000005844000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661260196.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661386367.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661212364.0000000005844000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661359025.0000000005847000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnK
          Source: 52h0KETBXt.exe, 00000001.00000003.661509000.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661311624.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661448122.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661191274.0000000005844000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661260196.0000000005846000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661386367.0000000005847000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661212364.0000000005844000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.661359025.0000000005847000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cni
          Source: 52h0KETBXt.exe, 00000001.00000003.668720087.0000000005875000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.668794708.0000000005875000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/1
          Source: 52h0KETBXt.exe, 00000001.00000003.668720087.0000000005875000.00000004.00000001.sdmp, 52h0KETBXt.exe, 00000001.00000003.668794708.0000000005875000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/;
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: 52h0KETBXt.exe, 00000001.00000002.683532411.0000000006A52000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: 52h0KETBXt.exe, 00000001.00000003.661448122.0000000005846000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cno.
          Source: 52h0KETBXt.exe, 00000001.00000002.681699547.0000000000C9A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORY

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 52h0KETBXt.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
          Source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.8.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.52h0KETBXt.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.8.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.0.52h0KETBXt.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.52h0KETBXt.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.679463516.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.929865713.0000000000470000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.740647599.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.741087450.0000000000A30000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.713850034.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000000.679919351.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.741186169.0000000000E60000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000000.729857444.000000000DAB7000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.932677156.0000000002840000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.932951022.0000000002940000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_00C6E6B0
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_00C6C284
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_00C6E6AC
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041E876
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00401030
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041E47F
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00402D90
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041DDBE
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00409E5B
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00409E60
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041E622
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00402FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0479841F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0484D466
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04780D20
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048525DD
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04852D07
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0479D5E0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04851D55
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047B2581
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047A6E30
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04852EF7
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0484D616
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0485DFCE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04851FF1
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048520A8
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048528EC
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04841002
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0485E824
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047B20A0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0479B090
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047A4120
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0478F900
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048522AE
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0484DBD2
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_048403DA
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_04852B28
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047BEBB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295E876
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295E622
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_02949E5B
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_02949E60
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_02942FB0
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295E47F
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_02942D90
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295DDB9
          Source: C:\Windows\SysWOW64\systray.exeCode function: String function: 0478B150 appears 39 times
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A370 NtCreateFile,
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A420 NtReadFile,
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A4A0 NtClose,
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A550 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041A41A NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9540 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C95D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9660 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9650 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C96E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C96D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9710 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9FE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9780 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9860 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9840 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C99A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A50 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9560 NtWriteFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CAD30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9520 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C95F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9670 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9610 NtEnumerateValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CA770 NtOpenThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9770 NtSetInformationFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9760 NtOpenProcess,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9730 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CA710 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C97A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CB040 NtSuspendThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9820 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C98F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C98A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9950 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C99D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A20 NtResumeThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A10 NtQuerySection,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A00 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9A80 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047C9B00 NtSetValueKey,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_047CA3B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A370 NtCreateFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A4A0 NtClose,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A420 NtReadFile,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A550 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\systray.exeCode function: 7_2_0295A41A NtReadFile,
          Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 98%
          Source: 52h0KETBXt.exe, 00000001.00000002.681699547.0000000000C9A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000001.00000002.685826170.0000000008CA0000.00000004.00020000.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000001.00000000.656176943.0000000000546000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymLanguageVend.exe: vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000001.00000002.682477718.00000000038F9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameUI.dllF vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000002.00000000.678692482.00000000004A6000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameSymLanguageVend.exe: vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000002.00000002.742451762.000000000114F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exe, 00000002.00000002.741068625.0000000000A13000.00000040.00020000.sdmpBinary or memory string: OriginalFilenamesystray.exej% vs 52h0KETBXt.exe
          Source: 52h0KETBXt.exeBinary or memory string: OriginalFilenameSymLanguageVend.exe: vs 52h0KETBXt.exe
          Source: C:\Windows\explorer.exeSection loaded: usermgrproxy.dll
          Source: 52h0KETBXt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: 52h0KETBXt.exeVirustotal: Detection: 33%
          Source: 52h0KETBXt.exeReversingLabs: Detection: 39%
          Source: 52h0KETBXt.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\52h0KETBXt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Users\user\Desktop\52h0KETBXt.exe "C:\Users\user\Desktop\52h0KETBXt.exe"
          Source: C:\Users\user\Desktop\52h0KETBXt.exeProcess created: C:\Users\user\Desktop\52h0KETBXt.exe C:\Users\user\Desktop\52h0KETBXt.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autofmt.exe C:\Windows\SysWOW64\autofmt.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\autoconv.exe C:\Windows\SysWOW64\autoconv.exe
          Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\systray.exe C:\Windows\SysWOW64\systray.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\52h0KETBXt.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" /LOADSAVEDWINDOWS
          Source: C:\Users\user\Desktop\52h0KETBXt.exeProcess created: C:\Users\user\Desktop\52h0KETBXt.exe C:\Users\user\Desktop\52h0KETBXt.exe
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\Desktop\52h0KETBXt.exe"
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{660b90c8-73a9-4b58-8cae-355b7f55341b}\InProcServer32
          Source: C:\Users\user\Desktop\52h0KETBXt.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\52h0KETBXt.exe.logJump to behavior
          Source: classification engineClassification label: mal100.troj.evad.winEXE@10/1@0/1
          Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\52h0KETBXt.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
          Source: C:\Windows\SysWOW64\systray.exeProcess created: C:\Windows\explorer.exe
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\52h0KETBXt.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: 52h0KETBXt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: 52h0KETBXt.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: systray.pdb source: 52h0KETBXt.exe, 00000002.00000002.741057292.0000000000A10000.00000040.00020000.sdmp
          Source: Binary string: systray.pdbGCTL source: 52h0KETBXt.exe, 00000002.00000002.741057292.0000000000A10000.00000040.00020000.sdmp
          Source: Binary string: wntdll.pdbUGP source: 52h0KETBXt.exe, 00000002.00000002.741255425.0000000000EA0000.00000040.00000001.sdmp, 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934124002.0000000004760000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934415770.000000000487F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: 52h0KETBXt.exe, 00000002.00000002.741255425.0000000000EA0000.00000040.00000001.sdmp, 52h0KETBXt.exe, 00000002.00000002.741563789.0000000000FBF000.00000040.00000001.sdmp, systray.exe, systray.exe, 00000007.00000002.934124002.0000000004760000.00000040.00000001.sdmp, systray.exe, 00000007.00000002.934415770.000000000487F000.00000040.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: 52h0KETBXt.exe, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.2.52h0KETBXt.exe.4d0000.0.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 1.0.52h0KETBXt.exe.4d0000.0.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.2.52h0KETBXt.exe.430000.1.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.52h0KETBXt.exe.430000.9.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.52h0KETBXt.exe.430000.1.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.52h0KETBXt.exe.430000.7.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.52h0KETBXt.exe.430000.2.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.52h0KETBXt.exe.430000.3.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.52h0KETBXt.exe.430000.5.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 2.0.52h0KETBXt.exe.430000.0.unpack, Auto_Machine/AutoMachine.cs.Net Code: P_000001 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: 52h0KETBXt.exe, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 1.2.52h0KETBXt.exe.4d0000.0.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 1.0.52h0KETBXt.exe.4d0000.0.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 2.2.52h0KETBXt.exe.430000.1.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 2.0.52h0KETBXt.exe.430000.9.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 2.0.52h0KETBXt.exe.430000.1.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 2.0.52h0KETBXt.exe.430000.7.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 2.0.52h0KETBXt.exe.430000.2.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 2.0.52h0KETBXt.exe.430000.3.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 2.0.52h0KETBXt.exe.430000.5.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: 2.0.52h0KETBXt.exe.430000.0.unpack, Auto_Machine/AutoMachine.cs.Net Code: LateBinding.LateCall(V_5, null, "Invoke", new object[] { null, V_6 }, null, null)
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_004D7C61 push es; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_004D66FC push ss; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_004D6804 push ds; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_004D6612 push es; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_004D7CAC push es; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_004D6820 push es; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_004D6732 push es; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 1_2_04DE8190 push ecx; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041F074 push 0000003Ah; retf
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041783E push 5B3B22F0h; retf
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041EA3B push E33F23DFh; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_00416B72 push eax; retf
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041EC07 push 2AB056CEh; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041D4C5 push eax; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041ECC6 push 2AB056CEh; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041654F push esp; iretd
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041D57C push eax; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exeCode function: 2_2_0041D512 push eax; ret
          Source: C:\Users\user\Desktop\52h0KETBXt.exe