Loading ...

Play interactive tourEdit tour

Analysis Report uzo.exe

Overview

General Information

Sample Name:uzo.exe
Analysis ID:285187
MD5:7236b609fe63f7e878c033acc2e3786d
SHA1:da34d309c23aaa40cad0dfe553b1cd8a967f6831
SHA256:771227e76d8a6029a3e557f2ce522002b07941e17289d1cdd5edafb29d42b1a9

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • uzo.exe (PID: 4772 cmdline: 'C:\Users\user\Desktop\uzo.exe' MD5: 7236B609FE63F7E878C033ACC2E3786D)
    • RegSvcs.exe (PID: 4852 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
      • explorer.exe (PID: 3508 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 6864 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 6680 cmdline: /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6636 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • dfix-8pbx.exe (PID: 6832 cmdline: C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exe MD5: 2867A3817C9245F7CF518524DFD18F28)
        • dfix-8pbx.exe (PID: 6796 cmdline: 'C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exe' MD5: 2867A3817C9245F7CF518524DFD18F28)
          • conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.369519744.0000000003867000.00000004.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000001.00000002.369519744.0000000003867000.00000004.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x177648:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1778b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x1833e5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x182ed1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x1834e7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x18365f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x1782ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x18214c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0x178fc3:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x188fd7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x189fda:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000001.00000002.369519744.0000000003867000.00000004.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x1860b9:$sqlite3step: 68 34 1C 7B E1
    • 0x1861cc:$sqlite3step: 68 34 1C 7B E1
    • 0x1860e8:$sqlite3text: 68 38 2A 90 C5
    • 0x18620d:$sqlite3text: 68 38 2A 90 C5
    • 0x1860fb:$sqlite3blob: 68 53 D8 7F 8C
    • 0x186223:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.628137580.00000000005F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.628137580.00000000005F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 22 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.RegSvcs.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.RegSvcs.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.RegSvcs.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x17549:$sqlite3step: 68 34 1C 7B E1
        • 0x1765c:$sqlite3step: 68 34 1C 7B E1
        • 0x17578:$sqlite3text: 68 38 2A 90 C5
        • 0x1769d:$sqlite3text: 68 38 2A 90 C5
        • 0x1758b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x176b3:$sqlite3blob: 68 53 D8 7F 8C
        2.2.RegSvcs.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          2.2.RegSvcs.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          No Sigma rule has matched

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for submitted fileShow sources
          Source: uzo.exeVirustotal: Detection: 25%Perma Link
          Source: uzo.exeReversingLabs: Detection: 33%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.369519744.0000000003867000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.628137580.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.627359095.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.628267428.0000000000620000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.406297432.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.406618512.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.406774586.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.369410571.0000000003765000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for sampleShow sources
          Source: uzo.exeJoe Sandbox ML: detected
          Source: 2.2.RegSvcs.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\uzo.exeCode function: 4x nop then jmp 05949D4Ch1_2_05949CC5
          Source: C:\Users\user\Desktop\uzo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0594AC38
          Source: C:\Users\user\Desktop\uzo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0594ACEC
          Source: C:\Users\user\Desktop\uzo.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h1_2_0594AC28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 4x nop then pop ebx2_2_00407B05
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 4x nop then pop ebx5_2_00117B05

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49746
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /bnc/?MlZ=GXIxB&LZNd=ubVcUatTAlpkG01YcL3qvZI0/+NFFcNSmoRhKLLGykuODGDP4VCuEw1UHzPbW1uLx8Ib HTTP/1.1Host: www.ourbrightstar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: global trafficHTTP traffic detected: GET /bnc/?MlZ=GXIxB&LZNd=ubVcUatTAlpkG01YcL3qvZI0/+NFFcNSmoRhKLLGykuODGDP4VCuEw1UHzPbW1uLx8Ib HTTP/1.1Host: www.ourbrightstar.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.ourbrightstar.com
          Source: explorer.exe, 00000003.00000000.390988222.000000000E130000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: explorer.exe, 00000003.00000000.388173191.0000000007E2E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.:
          Source: explorer.exe, 00000003.00000000.388173191.0000000007E2E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.mi
          Source: explorer.exe, 00000003.00000000.388173191.0000000007E2E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsL
          Source: explorer.exe, 00000003.00000000.388173191.0000000007E2E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsof
          Source: explorer.exe, 00000003.00000000.388173191.0000000007E2E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.
          Source: explorer.exe, 00000003.00000000.388173191.0000000007E2E000.00000004.00000001.sdmpString found in binary or memory: http://schemas.microsoft.co
          Source: uzo.exe, 00000001.00000002.369079001.00000000026E1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
          Source: explorer.exe, 00000003.00000000.372676792.0000000002280000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000003.00000000.387098278.0000000007CC8000.00000004.00000001.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000003.00000000.389899658.000000000C236000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: NETSTAT.EXE, 00000005.00000003.507855803.00000000006DD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
          Source: NETSTAT.EXE, 00000005.00000003.507855803.00000000006DD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
          Source: NETSTAT.EXE, 00000005.00000002.628495227.00000000006D0000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
          Source: NETSTAT.EXE, 00000005.00000003.507855803.00000000006DD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
          Source: NETSTAT.EXE, 00000005.00000002.627320114.00000000000D8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srfken&display=windesktop&theme=win7&lc=1033&redirect_uri=htt
          Source: NETSTAT.EXE, 00000005.00000002.628399815.00000000006B7000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033S7
          Source: NETSTAT.EXE, 00000005.00000003.507855803.00000000006DD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
          Source: NETSTAT.EXE, 00000005.00000003.507855803.00000000006DD000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000001.00000002.369519744.0000000003867000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.628137580.00000000005F0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.627359095.0000000000110000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.628267428.0000000000620000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.406297432.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.406618512.0000000000E40000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.406774586.0000000001170000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.369410571.0000000003765000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\KN6956U-\KN6logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\KN6956U-\KN6logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000001.00000002.369519744.0000000003867000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.369519744.0000000003867000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.628137580.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.628137580.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.627359095.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.627359095.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.628267428.0000000000620000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.628267428.0000000000620000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.406297432.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.406297432.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.406618512.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.406618512.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.406774586.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.406774586.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000001.00000002.369410571.0000000003765000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000001.00000002.369410571.0000000003765000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00419CA0 NtCreateFile,2_2_00419CA0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00419D50 NtReadFile,2_2_00419D50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00419DD0 NtClose,2_2_00419DD0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00419E80 NtAllocateVirtualMemory,2_2_00419E80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00419D4A NtReadFile,2_2_00419D4A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00419DCA NtClose,2_2_00419DCA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00419E7A NtAllocateVirtualMemory,2_2_00419E7A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_01329910
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013299A0 NtCreateSection,LdrInitializeThunk,2_2_013299A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329860 NtQuerySystemInformation,LdrInitializeThunk,2_2_01329860
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329840 NtDelayExecution,LdrInitializeThunk,2_2_01329840
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013298F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_013298F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329A20 NtResumeThread,LdrInitializeThunk,2_2_01329A20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_01329A00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329A50 NtCreateFile,LdrInitializeThunk,2_2_01329A50
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329540 NtReadFile,LdrInitializeThunk,2_2_01329540
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013295D0 NtClose,LdrInitializeThunk,2_2_013295D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329710 NtQueryInformationToken,LdrInitializeThunk,2_2_01329710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013297A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_013297A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329780 NtMapViewOfSection,LdrInitializeThunk,2_2_01329780
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_01329660
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013296E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_013296E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329950 NtQueueApcThread,2_2_01329950
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013299D0 NtCreateProcessEx,2_2_013299D0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329820 NtEnumerateKey,2_2_01329820
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0132B040 NtSuspendThread,2_2_0132B040
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013298A0 NtWriteVirtualMemory,2_2_013298A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329B00 NtSetValueKey,2_2_01329B00
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0132A3B0 NtGetContextThread,2_2_0132A3B0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329A10 NtQuerySection,2_2_01329A10
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329A80 NtOpenDirectoryObject,2_2_01329A80
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0132AD30 NtSetContextThread,2_2_0132AD30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329520 NtWaitForSingleObject,2_2_01329520
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329560 NtWriteFile,2_2_01329560
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013295F0 NtQueryInformationFile,2_2_013295F0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329730 NtQueryVirtualMemory,2_2_01329730
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0132A710 NtOpenProcessToken,2_2_0132A710
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329770 NtSetInformationFile,2_2_01329770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0132A770 NtOpenThread,2_2_0132A770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329760 NtOpenProcess,2_2_01329760
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329FE0 NtCreateMutant,2_2_01329FE0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329610 NtEnumerateValueKey,2_2_01329610
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329670 NtQueryInformationProcess,2_2_01329670
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01329650 NtQueryValueKey,2_2_01329650
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013296D0 NtCreateKey,2_2_013296D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9A50 NtCreateFile,LdrInitializeThunk,5_2_02DA9A50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9B00 NtSetValueKey,LdrInitializeThunk,5_2_02DA9B00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9840 NtDelayExecution,LdrInitializeThunk,5_2_02DA9840
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9860 NtQuerySystemInformation,LdrInitializeThunk,5_2_02DA9860
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA99A0 NtCreateSection,LdrInitializeThunk,5_2_02DA99A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_02DA9910
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA96D0 NtCreateKey,LdrInitializeThunk,5_2_02DA96D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA96E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02DA96E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9650 NtQueryValueKey,LdrInitializeThunk,5_2_02DA9650
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02DA9660
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9610 NtEnumerateValueKey,LdrInitializeThunk,5_2_02DA9610
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9FE0 NtCreateMutant,LdrInitializeThunk,5_2_02DA9FE0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9780 NtMapViewOfSection,LdrInitializeThunk,5_2_02DA9780
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9770 NtSetInformationFile,LdrInitializeThunk,5_2_02DA9770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9710 NtQueryInformationToken,LdrInitializeThunk,5_2_02DA9710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA95D0 NtClose,LdrInitializeThunk,5_2_02DA95D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9540 NtReadFile,LdrInitializeThunk,5_2_02DA9540
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9560 NtWriteFile,LdrInitializeThunk,5_2_02DA9560
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9A80 NtOpenDirectoryObject,5_2_02DA9A80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9A10 NtQuerySection,5_2_02DA9A10
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9A00 NtProtectVirtualMemory,5_2_02DA9A00
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9A20 NtResumeThread,5_2_02DA9A20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DAA3B0 NtGetContextThread,5_2_02DAA3B0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA98F0 NtReadVirtualMemory,5_2_02DA98F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA98A0 NtWriteVirtualMemory,5_2_02DA98A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DAB040 NtSuspendThread,5_2_02DAB040
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9820 NtEnumerateKey,5_2_02DA9820
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA99D0 NtCreateProcessEx,5_2_02DA99D0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9950 NtQueueApcThread,5_2_02DA9950
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9670 NtQueryInformationProcess,5_2_02DA9670
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA97A0 NtUnmapViewOfSection,5_2_02DA97A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DAA770 NtOpenThread,5_2_02DAA770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9760 NtOpenProcess,5_2_02DA9760
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DAA710 NtOpenProcessToken,5_2_02DAA710
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9730 NtQueryVirtualMemory,5_2_02DA9730
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA95F0 NtQueryInformationFile,5_2_02DA95F0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DAAD30 NtSetContextThread,5_2_02DAAD30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DA9520 NtWaitForSingleObject,5_2_02DA9520
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00129CA0 NtCreateFile,5_2_00129CA0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00129D50 NtReadFile,5_2_00129D50
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00129DD0 NtClose,5_2_00129DD0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00129E80 NtAllocateVirtualMemory,5_2_00129E80
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00129D4A NtReadFile,5_2_00129D4A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00129DCA NtClose,5_2_00129DCA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00129E7A NtAllocateVirtualMemory,5_2_00129E7A
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_00197AF21_2_00197AF2
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_00CDC1481_2_00CDC148
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_00CDA7581_2_00CDA758
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_04C0D4F01_2_04C0D4F0
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_05860BD81_2_05860BD8
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_05860BE81_2_05860BE8
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_0586CB101_2_0586CB10
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_0594B5E81_2_0594B5E8
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_059464681_2_05946468
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_05940D7A1_2_05940D7A
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_059464581_2_05946458
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_059400061_2_05940006
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_059400401_2_05940040
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_05945A181_2_05945A18
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_05945A091_2_05945A09
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004010302_2_00401030
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041D1912_2_0041D191
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041DA3A2_2_0041DA3A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004012FB2_2_004012FB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041E4C92_2_0041E4C9
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402D902_2_00402D90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00409E1B2_2_00409E1B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00409E202_2_00409E20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041CFAD2_2_0041CFAD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00402FB02_2_00402FB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013041202_2_01304120
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012EF9002_2_012EF900
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013099BF2_2_013099BF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0130A8302_2_0130A830
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013BE8242_2_013BE824
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013A10022_2_013A1002
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013120A02_2_013120A0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013B20A82_2_013B20A8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012FB0902_2_012FB090
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013B28EC2_2_013B28EC
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013B2B282_2_013B2B28
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0130A3092_2_0130A309
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0130AB402_2_0130AB40
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0131EBB02_2_0131EBB0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013923E32_2_013923E3
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013A03DA2_2_013A03DA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013ADBD22_2_013ADBD2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0131ABD82_2_0131ABD8
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0139FA2B2_2_0139FA2B
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013B22AE2_2_013B22AE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013A4AEF2_2_013A4AEF
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012E0D202_2_012E0D20
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013B2D072_2_013B2D07
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013B1D552_2_013B1D55
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013125812_2_01312581
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013A2D822_2_013A2D82
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012FD5E02_2_012FD5E0
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013B25DD2_2_013B25DD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_012F841F2_2_012F841F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013AD4662_2_013AD466
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013A44962_2_013A4496
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013B1FF12_2_013B1FF1
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013BDFCE2_2_013BDFCE
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_01306E302_2_01306E30
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013AD6162_2_013AD616
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_013B2EF72_2_013B2EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E322AE5_2_02E322AE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E1FA2B5_2_02E1FA2B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D9ABD85_2_02D9ABD8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E2DBD25_2_02E2DBD2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E203DA5_2_02E203DA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D9EBB05_2_02D9EBB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8AB405_2_02D8AB40
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E32B285_2_02E32B28
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8A3095_2_02D8A309
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E328EC5_2_02E328EC
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D7B0905_2_02D7B090
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E320A85_2_02E320A8
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D920A05_2_02D920A0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E3E8245_2_02E3E824
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E210025_2_02E21002
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D8A8305_2_02D8A830
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D899BF5_2_02D899BF
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D6F9005_2_02D6F900
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D841205_2_02D84120
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E32EF75_2_02E32EF7
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D86E305_2_02D86E30
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E2D6165_2_02E2D616
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E31FF15_2_02E31FF1
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E3DFCE5_2_02E3DFCE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E2D4665_2_02E2D466
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D7841F5_2_02D7841F
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D7D5E05_2_02D7D5E0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E325DD5_2_02E325DD
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D925815_2_02D92581
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E31D555_2_02E31D55
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02E32D075_2_02E32D07
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02D60D205_2_02D60D20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0012E4C95_2_0012E4C9
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00112D905_2_00112D90
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00119E1B5_2_00119E1B
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00119E205_2_00119E20
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00112FB05_2_00112FB0
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0012CFAD5_2_0012CFAD
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: String function: 012EB150 appears 133 times
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 02D6B150 appears 87 times
          Source: uzo.exe, 00000001.00000002.368250137.0000000000202000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamep3TC.exe: vs uzo.exe
          Source: uzo.exe, 00000001.00000002.369079001.00000000026E1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs uzo.exe
          Source: uzo.exeBinary or memory string: OriginalFilenamep3TC.exe: vs uzo.exe
          Source: 00000001.00000002.369519744.0000000003867000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.369519744.0000000003867000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.628137580.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.628137580.00000000005F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.627359095.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.627359095.0000000000110000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.628267428.0000000000620000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.628267428.0000000000620000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.406297432.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.406297432.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.406618512.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.406618512.0000000000E40000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000002.00000002.406774586.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000002.00000002.406774586.0000000001170000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000001.00000002.369410571.0000000003765000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000001.00000002.369410571.0000000003765000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: uzo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: uzo.exe, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.0.uzo.exe.190000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: 1.2.uzo.exe.190000.0.unpack, SecurityZone.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@12/8@1/1
          Source: C:\Users\user\Desktop\uzo.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\uzo.exe.logJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6636:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_01
          Source: C:\Users\user\Desktop\uzo.exeMutant created: \Sessions\1\BaseNamedObjects\ZWJVkIVrFIKaupm
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Cblrldx20Jump to behavior
          Source: uzo.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\uzo.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\uzo.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: uzo.exeVirustotal: Detection: 25%
          Source: uzo.exeReversingLabs: Detection: 33%
          Source: unknownProcess created: C:\Users\user\Desktop\uzo.exe 'C:\Users\user\Desktop\uzo.exe'
          Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exe C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exe
          Source: unknownProcess created: C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exe 'C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exe'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\uzo.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exe C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exeJump to behavior
          Source: C:\Windows\explorer.exeProcess created: C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exe 'C:\Program Files (x86)\Cblrldx20\dfix-8pbx.exe' Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe'Jump to behavior
          Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9FC8E510-A27C-4B3B-B9A3-BF65F00256A8}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEFile written: C:\Users\user\AppData\Roaming\KN6956U-\KN6logri.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Users\user\Desktop\uzo.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: uzo.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: uzo.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: netstat.pdbGCTL source: RegSvcs.exe, 00000002.00000002.406933728.00000000011F0000.00000040.00000001.sdmp
          Source: Binary string: wscui.pdbUGP source: explorer.exe, 00000003.00000000.386230278.0000000007640000.00000002.00000001.sdmp
          Source: Binary string: netstat.pdb source: RegSvcs.exe, 00000002.00000002.406933728.00000000011F0000.00000040.00000001.sdmp
          Source: Binary string: RegSvcs.pdb, source: NETSTAT.EXE, 00000005.00000002.628431562.00000000006BF000.00000004.00000020.sdmp, dfix-8pbx.exe, 0000001B.00000000.546121343.0000000000FA2000.00000002.00020000.sdmp, dfix-8pbx.exe, 0000001C.00000002.553077016.0000000000DE2000.00000002.00020000.sdmp, dfix-8pbx.exe.3.dr
          Source: Binary string: wntdll.pdbUGP source: RegSvcs.exe, 00000002.00000002.407148157.00000000013DF000.00000040.00000001.sdmp, NETSTAT.EXE, 00000005.00000002.629775162.0000000002E5F000.00000040.00000001.sdmp
          Source: Binary string: System.EnterpriseServices.Wrapper.pdb source: dfix-8pbx.exe, 0000001C.00000002.556067503.0000000005710000.00000002.00000001.sdmp
          Source: Binary string: wntdll.pdb source: RegSvcs.exe, NETSTAT.EXE
          Source: Binary string: RegSvcs.pdb source: dfix-8pbx.exe, dfix-8pbx.exe.3.dr
          Source: Binary string: wscui.pdb source: explorer.exe, 00000003.00000000.386230278.0000000007640000.00000002.00000001.sdmp
          Source: C:\Users\user\Desktop\uzo.exeCode function: 1_2_00197F93 push es; iretd 1_2_001980FA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004178DA push esp; retf 2_2_004178DB
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041717C push es; iretd 2_2_0041718A
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004169F8 push ds; retf 2_2_00416A39
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00416A74 push 5E76E236h; retf 2_2_00416A90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00417AE9 push esp; retf 2_2_00417AEA
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00407AFF push ebx; ret 2_2_00407B04
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00416ABA push 5E76E236h; retf 2_2_00416A90
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0040E343 push esp; iretd 2_2_0040E344
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00416B3E push ecx; iretd 2_2_00416B3F
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_004163F3 push ds; iretd 2_2_004163F4
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041CDF5 push eax; ret 2_2_0041CE48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041CE42 push eax; ret 2_2_0041CE48
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041CE4B push eax; ret 2_2_0041CEB2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_00417695 push eax; retf 2_2_00417770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041CEAC push eax; ret 2_2_0041CEB2
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0041776D push eax; retf 2_2_00417770
          Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 2_2_0133D0D1 push ecx; ret 2_2_0133D0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_02DBD0D1 push ecx; ret 5_2_02DBD0E4
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_001278DA push esp; retf 5_2_001278DB
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0012717C push es; iretd 5_2_0012718A
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00117AFF push ebx; ret 5_2_00117B04
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0012DAE7 push esp; iretd 5_2_0012DAEE
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00127AE9 push esp; retf 5_2_00127AEA
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0012DB29 push 00000061h; retf 5_2_0012DB2C
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0011E343 push esp; iretd 5_2_0011E344
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0012CDF5 push eax; ret 5_2_0012CE48
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0012CE42 push eax; ret 5_2_0012CE48
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0012CE4B push eax; ret 5_2_0012CEB2
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_00127695 push eax; retf 5_2_00127770
          Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 5_2_0012CEAC push eax; ret 5_2_0012CEB2
          Source: initial sampleStatic PE information: section name: .text entropy: 7.91525107707
          Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\Cblrldx20\dfix-8pbx.exeJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YP9L_R_Jump to behavior
          Source: C:\Windows\SysWOW64\NETSTAT.EXERegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run YP9L_R_Jump to behavior

          Hooking and other Techniques for Hiding and Protection:

          barindex
          Modifies the prolog of user mode functions (user mode inline hooks)Show sources
          Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xED